CVE-2025-10466

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the Safe Access package for Synology Router Manager (SRM) prior to version 1.3.1-0329. The issue stems from improper neutralization of user-supplied input during web page generation (CWE-79) in Safe Access. The vulnerable code path is reachable by remote authenticated users with administrator privileges. Affected versions include all releases of Safe Access for SRM 1.3 before the fixed version [1].

Exploitation

An attacker must have valid administrator credentials for SRM and network access to the web interface. By injecting malicious script payloads in the Safe Access input fields, the attacker can trigger stored XSS. No additional user interaction is required, as the injected script executes when the vulnerable page is loaded by other administrators [1]. The CVSS vector (PR:H/UI:R) indicates high privileges needed but low attack complexity [1].

Impact

Successful exploitation allows the attacker to read or write specific files on the SRM device that contain non-sensitive information, or to conduct limited denial-of-service attacks. The impact is limited in scope (confidentiality, integrity, and availability are all rated low per CVSS) [1]. The attacker cannot gain full control of the device or access sensitive data [1].

Mitigation

Synology has released Safe Access version 1.3.1-0329 for SRM 1.3 to fix this vulnerability. Users should upgrade to this version or later. No workarounds are provided by the vendor, and the advisory states there is no mitigation other than applying the patch [1]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.