This reports, among others Caschy on his blog. So Synology has discovered a vulnerability classified as Critical in the VPN Plus Server implementation of SRM. VPN Plus Server for SRM 1.3 and VPN Plus Server for SRM 1.2 versions are affected. Updates are available for both versions that fill the security gap.
Few details about the patch are available
Users of VPN Plus Server for SRM 1.3 are recommended to update to 1.4.4-0635 or higher. VPN Plus Server users can upgrade to 1.4.3-0534 or later. So far, the company has not disclosed much about the vulnerability. So it is not yet known whether this vulnerability has been actively exploited or not. Either way, users should now act as soon as possible and run the update.
in a Security warning The sinologist summed up the issue as follows:
The vulnerability allows remote attackers to execute arbitrary commands through a vulnerable version of Synology VPN Plus Server. More details will be released once the update actually reaches affected users. There is currently no matching entry for CVE.
Security researcher Kevin Wang reported on the vulnerability. Wang discovered a similar vulnerability in October and reported it to the company.