CVE-2017-15889

HIGH

Synology Diskstation Manager < 5.2-5967-5 - Command Injection

Title source: rule

Description

Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authenticated users to execute arbitrary commands via disk field.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotehardware

https://www.exploit-db.com/exploits/48514

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Nigusu Kassahun, h00die · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/synology_dsm_smart_exec_auth.rb

View Code ZIP pw:eip

References (2)

[Vendor Advisory] https://www.synology.com/en-global/support/security/Synology_SA_17_65_DSM

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/157807/Synology-DiskStation-Manager-smart.cgi-Remote-Command-Execution.html

Scores

CVSS v3 8.8

EPSS 0.6238

EPSS Percentile 98.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-77

Status published

Products (2)

synology/diskstation_manager < 5.2-5967-5

Synology/DiskStation Manager (DSM) before 5.2-5967-5

Published Dec 04, 2017

Tracked Since Feb 18, 2026