CVE-2025-13392 PUBLISHED

Assigner: synology
Reserved: 19.11.2025 Published: 27.05.2026 Updated: 27.05.2026

Improper check for unusual or exceptional conditions vulnerability in SSO in Synology DiskStation Manager (DSM) before 7.2.2-72806-5 and 7.3.1-86003-1 (7.2.1-69057 is not affected) allows remote attackers to bypass authentication with prior knowledge of the distinguished name (DN).

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 8.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Synology
Product	DiskStation Manager (DSM)
Versions	Default: affected affected from 7.3 to 7.3.1-86003-1 (excl.) affected from 7.2.2 to 7.2.2-72806-5 (excl.) unaffected from 7.2.1 to 7.2.1.* (excl.) unknown from 0 to 7.2.1 (excl.)

Credits

Le Trong Phuc (chanze@VRC) and Cao Ngoc Quy (Chino Kafuu) finder

References

Synology-SA-25:14 DSM (PWN2OWN 2025)

Problem Types

Improper Check for Unusual or Exceptional Conditions CWE