CVE-2017-9554

MEDIUM EXPLOITED IN THE WILD

Synology DSM <6.1.3-15152 - Info Disclosure

Title source: llm

Description

An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors.

Exploits (4)

nomisec WORKING POC 2 stars

by rfcl · remote

https://github.com/rfcl/Synology-DiskStation-User-Enumeration-CVE-2017-9554-

View Code ZIP pw:eip

nomisec WORKING POC

by Ez0-yf · remote

https://github.com/Ez0-yf/CVE-2017-9554-Exploit-Tool

View Code ZIP pw:eip

metasploit SCANNER

by h00die, Steve Kaun · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/synology_forget_passwd_user_enum.rb

View Code ZIP pw:eip

exploitdb WRITEUP

by Steve Kaun · textwebappscgi

https://www.exploit-db.com/exploits/43455

View Code ZIP pw:eip

References (2)

[Mitigation, Vendor Advisory] https://www.synology.com/en-global/support/security/Synology_SA_17_29_DSM

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/43455/

Scores

CVSS v3 5.3

EPSS 0.5787

EPSS Percentile 98.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

VulnCheck KEV 2021-12-23

InTheWild.io 2021-12-23

CWE

CWE-200

Status published

Products (2)

synology/diskstation_manager < 6.1.1-15101-4

n/a/n/a

Published Jul 24, 2017

Tracked Since Feb 18, 2026