VYPR
← All advisories
High severity7.5NVD Advisory· Published May 27, 2026

CVE-2025-14713

CVE-2025-14713

Description

An Exposed Dangerous Method or Function vulnerability in Synology C2 Identity Edge Server package in DSM before 1.76.0-0307 allows remote attackers to obtain user credentials from the edge server.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A high-severity vulnerability in Synology C2 Identity Edge Server before 1.76.0-0307 allows remote unauthenticated attackers to obtain user credentials via an exposed dangerous method.

Vulnerability

An Exposed Dangerous Method or Function vulnerability (CWE-749) exists in the Synology C2 Identity Edge Server package for DSM versions before 1.76.0-0307 [1]. The bug allows a remote attacker to invoke a dangerous function that leaks user credentials from the edge server. All DSM versions 7.1, 7.2.1, 7.2.2, and 7.3 running the affected package are vulnerable [1].

Exploitation

The attacker does not require any authentication, user interaction, or special network position; the attack vector is network-based (AV:N) with low attack complexity (AC:L) [1]. By sending crafted requests to the exposed method, an unauthenticated attacker can retrieve stored credentials from the edge server.

Impact

Successful exploitation results in the disclosure of user credentials, leading to a high impact on confidentiality (C:H) [1]. The integrity and availability of the system are not directly affected. The CVSS v3.1 base score is 7.5 (High) [1].

Mitigation

Synology has released the fixed version 1.76.0-0307 for all affected DSM platforms [1]. Users should upgrade the C2 Identity Edge Server package to this version or later. No workarounds are provided by the vendor [1].

References
  1. Synology_SA_25_18 | Synology Inc.

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.