Changeflow GovPing Data Privacy & Cybersecurity Synology Products Vulnerability Allows Remote C...
Priority review Notice Added Final

Synology Products Vulnerability Allows Remote Code Execution

Favicon for www.cert.ssi.gouv.fr CERT-FR Security Advisories
Published
Detected
Email

Summary

CERT-FR has issued an advisory regarding a critical vulnerability in Synology products that allows for remote code execution. The advisory details affected DSM and DSMUC versions and directs users to Synology's security bulletin for patches, noting that a fix for DSMUC is currently unavailable.

Published by CERT-FR on cert.ssi.gouv.fr . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .
View original document View source feed page

What changed

CERT-FR, the French national cybersecurity agency, has published an advisory (CERTFR-2026-AVI-0338) detailing a critical vulnerability (CVE-2026-32746) affecting specific versions of Synology's DiskStation Manager (DSM) and DSMUC software. This vulnerability enables remote code execution, posing a significant security risk to affected users.

Users of Synology products are strongly advised to consult Synology's security bulletin (SynologySA26_03) for instructions on applying available patches to their DSM systems. It is noted that a security patch for DSMUC 3.1 is currently unavailable, requiring users to exercise additional caution or seek alternative mitigation strategies. Failure to apply patches where available could lead to system compromise.

What to do next

  1. Consult Synology's security bulletin for available patches.
  2. Apply security patches to affected DSM versions.
  3. Monitor for updates regarding the DSMUC 3.1 patch.

Archived snapshot

Mar 23, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Premier Ministre S.G.D.S.N

Agence nationale
de la sécurité des
systèmes d'information

Paris, le 23 mars 2026 N° CERTFR-2026-AVI-0338 Affaire suivie par: CERT-FR

Avis du CERT-FR

Objet: Vulnérabilité dans les produits Synology

Gestion du document

| Référence | CERTFR-2026-AVI-0338 |
| Titre | Vulnérabilité dans les produits Synology |
| Date de la première version | 23 mars 2026 |
| Date de la dernière version | 23 mars 2026 |
| Source(s) | Bulletin de sécurité Synology SynologySA26_03 du 19 mars 2026 |
Une gestion de version détaillée se trouve à la fin de ce document.

Risque

  • Exécution de code arbitraire à distance

Systèmes affectés

  • DSM versions 7.2.1.x antérieures à 7.2.1-69057-11
  • DSM versions 7.2.2.x antérieures à 7.2.2-72806-8
  • DSM versions 7.3.x antérieures à 7.3.2-86009-3
  • DSMUC 3.1 toutes versions Le correctif de sécurité pour DSMUC 3.1 est indisponible pour l'instant.

Résumé

Une vulnérabilité a été découverte dans les produits Synology. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Documentation

Gestion détaillée du document

  1. le 23 mars 2026 Version initiale

Named provisions

Risk Affected Systems Summary Solutions Documentation

Related changes

Favicon for www.cert.ssi.gouv.fr Trend Micro Deep Discovery Inspector Vulnerability Allows Remote Code Execution
Priority review Mar 24, 2026 CERT-FR Security Advisories Data Privacy & Cybersecurity
Favicon for www.cert.ssi.gouv.fr LibreNMS Vulnerability Allows Remote Code Execution
Priority review Mar 24, 2026 CERT-FR Security Advisories Data Privacy & Cybersecurity
Favicon for www.cert.ssi.gouv.fr Mitel Products Vulnerability - XSS
Priority review Mar 19, 2026 CERT-FR Security Advisories Data Privacy & Cybersecurity

Get daily alerts for CERT-FR Security Advisories

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.cert.ssi.gouv.fr
CERT-FR Security Advisories cert.ssi.gouv.fr/avis
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from CERT-FR.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
CERT-FR
Published
March 23rd, 2026
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Substantive
Document ID
CERTFR-2026-AVI-0338

Who this affects

Applies to
Technology companies
Industry sector
5112 Software & Technology
Activity scope
Vulnerability Management System Patching
Geographic scope
France FR

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Product Security Vulnerability Management

Browse Categories

Agriculture & Food Safety 73 AI Regulation 3 Banking & Finance 408 Consumer Protection 89 Courts & Legal 411 Data Privacy & Cybersecurity 90 Defense & National Security 53 Education 55 Energy 100 Environment 151 Gaming 2 Government & Legislation 430 Healthcare 15 Healthcare & Life Sciences 375 Immigration 10 Insurance 76 Labor & Employment 132 Pharma & Drug Safety 21 Professional Licensing 8 Real Estate & Housing 78 Securities & Markets 154 Tax 78 Telecom & Technology 47 Trade & Sanctions 141 Transportation 91

Get alerts for this source

We'll email you when CERT-FR Security Advisories publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!