Critical Pwn2Own Bug in Synology DiskStation Manager Allows Unauthenticated Root RCE
A critical buffer overflow in Synology DiskStation Manager's Netatalk library, discovered at Pwn2Own, lets unauthenticated remote attackers execute arbitrary code as root.
A critical vulnerability in the Netatalk library of Synology DiskStation Manager (DSM) has been publicly disclosed, carrying a CVSS score of 9.8 and allowing unauthenticated remote attackers to execute arbitrary code with root privileges. The vulnerability, tracked as CVE-2022-45188, was discovered by researchers Kyle Zeng, Wil Gibbs, Jayakrishna Menon, and SEFCOM during the Pwn2Own hacking contest.
The flaw resides in the `afp_getappl` function of the Netatalk service, which implements the Apple Filing Protocol (AFP) for file sharing on Synology NAS devices. The issue stems from a classic buffer overflow: the software copies user-supplied data into a fixed-length buffer without properly validating the length of that data. An attacker can send a specially crafted network request to trigger the overflow and overwrite adjacent memory, ultimately hijacking execution flow.
Because the vulnerable service runs with root privileges, successful exploitation grants the attacker full administrative control over the affected Synology NAS device. No authentication is required to reach the vulnerable code, making the bug trivially exploitable over the network. The advisory notes that all DiskStation Manager installations are affected, though specific version ranges were not detailed in the public disclosure.
Synology has issued a security advisory (Synology_SA_22_23) and released patches to address the vulnerability. The disclosure timeline shows the bug was reported to the vendor on December 29, 2022, with the coordinated public release occurring on March 16, 2026 — a gap of over three years. The advisory was updated on the same day as the public release.
Given the critical severity and the lack of authentication required, this vulnerability poses a significant risk to the millions of Synology NAS devices deployed worldwide in homes, small businesses, and enterprise environments. Synology NAS devices are frequently exposed to the internet for remote file access, which would make them directly reachable by attackers scanning for vulnerable Netatalk services.
The inclusion of this bug in the Pwn2Own contest underscores its real-world exploitability. Pwn2Own is known for demonstrating practical, weaponizable exploits against widely used products. While no active in-the-wild exploitation has been confirmed in the advisory, the public disclosure of technical details and the availability of a patch means attackers will likely reverse-engineer the fix to develop their own exploits.
Administrators are strongly urged to apply the Synology_SA_22_23 patch immediately. As a temporary mitigation, users can restrict access to the AFP service (port 548) to trusted networks only, or disable the Netatalk service entirely if it is not required. This vulnerability joins a growing list of critical flaws in network-attached storage devices that have been targeted by ransomware groups and other threat actors seeking to encrypt or exfiltrate data.