Synology has released a security update to address a critical vulnerability in VPN Plus Server that could be used to take over an affected system.

The vulnerability registered as CVE-2022-43931 has a maximum severity of 10 in the CVSS rating and was described as a write out of bounds error in the Remote Desktop feature of Synology VPN Plus Server.

Successful exploitation of this issue “allows a remote attacker to execute arbitrary commands via an unspecified vector,” the Taiwanese company added, finding by its Product Security Incident Response Team (PSIRT).

We recommend updating VPN Plus Server for Synology Router Manager (SRM) 1.2 and VPN Plus Server for SRM 1.3 users to version 1.4.3-0534 and 1.4.4-0635 respectively.

In the second advisory, manufacturers of network-attached storage appliances announced that some SRMs could allow remote attackers to execute arbitrary commands, perform denial-of-service attacks, and read arbitrary files. I also warned about the flaws in .

Users urged to update to versions 1.2.5-8227-6 and 1.3.1-9346-3 to mitigate potential threats, full vulnerability details withheld.

Gaurav Baruah, CrowdStrike’s Lukas Kupczyk, DEVCORE researcher Orange Tsai, and his Dutch IT security firm Computest have been accused of reporting the vulnerability.

It is worth noting that some of the vulnerabilities were demonstrated during the Pwn2Own 2022 competition held in Toronto, Canada, December 6-9, 2022.