Introduction
A PWN2OWN proven authentication bypass in Synology DiskStation Manager's Single Sign-On implementation allows remote attackers to fully compromise NAS devices by exploiting a flawed SAML authentication path, requiring only prior knowledge of a valid LDAP Distinguished Name. With Synology reporting over 13 million installations worldwide across home and enterprise environments, and NAS devices routinely storing an organization's most sensitive data, this vulnerability represents a meaningful risk to a very large installed base.
Synology's DiskStation Manager (DSM) is the web based operating system that powers all Synology NAS appliances, including the DiskStation, FlashStation, and RackStation product lines. Synology is widely considered the dominant consumer and SMB NAS vendor globally, holding a 4.9 star rating on Gartner Peer Insights and competing primarily with QNAP in a market where North America alone held a 41.40% share in 2025.
Technical Information
Root Cause: CWE-754 in the SAML Authentication Handler
CVE-2025-13392 is classified under CWE-754: Improper Check for Unusual or Exceptional Conditions. The vulnerability resides specifically within the SYNOPAMSSO::samlAuth method in DSM's SSO module. According to the Zero Day Initiative advisory (ZDI-25-1040), the core issue is that the software "permits authentication via a mechanism that should be disabled."
In practical terms, the DSM SSO module maintains a SAML authentication code path that should be inactive or restricted under certain conditions. The samlAuth method fails to properly validate the authentication state when an exceptional condition arises: specifically, when a SAML authentication request arrives through this path carrying a known LDAP Distinguished Name (DN). Rather than rejecting or scrutinizing such requests, the code implicitly trusts them, creating an alternate authentication channel that bypasses normal credential verification.
This root cause is also closely related to CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-289 (Authentication Bypass by Alternate Name), as the exploitation mechanism involves presenting a known DN through an authentication path that should not be available. The CAPEC mapping is CAPEC-115 (Authentication Bypass).
CVSS Breakdown
The CVSS v3.1 base score of 8.1 (High) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H breaks down as follows:
| Metric | Value | Interpretation |
|---|---|---|
| Attack Vector | Network | Exploitable remotely over the network |
| Attack Complexity | High | Requires prior knowledge of a valid DN |
| Privileges Required | None | No authentication needed to initiate the attack |
| User Interaction | None | No user action required |
| Scope | Unchanged | Impact limited to the vulnerable component |
| Confidentiality | High | Full access to all NAS data |
| Integrity | High | Full modification capability over NAS data and configuration |
| Availability | High | Full disruption of NAS services possible |
The Attack Complexity is rated High because the attacker must possess prior knowledge of a valid Distinguished Name. In LDAP/SSO contexts, a DN uniquely identifies an entity in a directory structure (for example, cn=admin,ou=users,dc=synology,dc=com). This information could be obtained through LDAP enumeration, information leakage, social engineering, or reconnaissance against directory services.
Attack Flow
Based on the ZDI advisory and Synology's own disclosure, exploitation follows this sequence:
-
Reconnaissance: The attacker obtains a valid Distinguished Name (DN) for a user or administrator account on the target Synology NAS. This could come from LDAP enumeration, information disclosure vulnerabilities, leaked directory data, or knowledge of the organization's directory structure.
-
SAML Request Crafting: The attacker constructs a SAML authentication request that incorporates the known DN. This request is directed at the DSM SSO endpoint, targeting the
SYNOPAMSSO::samlAuthmethod. -
Bypass via Alternate Path: The crafted request reaches the
samlAuthmethod, which processes it through the improperly enabled authentication mechanism. Because the code fails to check for the exceptional condition of receiving authentication through this path (which should be disabled), the request is accepted. -
Authenticated Access: The attacker gains authenticated access to the NAS without providing valid credentials. Depending on the DN used, this could grant administrative control over stored data, system configurations, installed packages, and network settings.
The ZDI advisory describes the attack vector as "network adjacent," meaning the attacker must be able to reach the DSM web interface. In many deployments, DSM is accessible on the local network via ports 5000 (HTTP) and 5001 (HTTPS). In misconfigured environments where DSM is exposed to the internet, the attack surface extends significantly.
PWN2OWN Berlin 2025 Demonstration
This vulnerability was discovered and demonstrated by security researchers Le Trong Phuc (chanze@VRC) and Cao Ngoc Quy (Chino Kafuu) during the PWN2OWN Berlin 2025 hacking competition. The submission was tracked as ZDI-CAN-28409 and published as ZDI-25-1040 on December 3, 2025. The target device was a Synology DiskStation DS925+. The competition saw 28 unique zero days demonstrated across multiple categories, with the Synology DSM vulnerability falling under the NAS/enterprise storage target category.
Broader SAML Authentication Bypass Trend
CVE-2025-13392 fits within a well documented pattern of SAML/SSO authentication bypass vulnerabilities across the industry. Similar flaws have been identified in Fortinet products (CVE-2026-24858, FortiCloud SSO bypass), GitHub Enterprise (SAML bypass via parser differentials), and GitLab (Ruby SAML bypass). PortSwigger's research paper "The Fragile Lock" demonstrated how parser level differentials in SAML implementations can enable full authentication bypass. The common thread is that SAML implementations frequently fail to properly validate exceptional conditions in the authentication flow, creating alternate paths that attackers can exploit.
Patch Information
Synology addressed CVE-2025-13392 through a firmware level fix released under security advisory Synology-SA-25:14, first published on November 19, 2025, and most recently updated on May 27, 2026. The advisory status is marked as Resolved.
The fix corrects the validation logic within the SYNOPAMSSO::samlAuth method, ensuring that authentication requests arriving via the previously permissive SAML mechanism are properly scrutinized rather than implicitly trusted. While Synology has not published a source level diff (DSM is proprietary firmware), the CWE-754 classification indicates the patch introduces stricter checks for conditions that the original code either ignored or handled too permissively in the SSO/SAML pathway.
The patched firmware versions are:
| DSM Branch | Fixed Version |
|---|---|
| DSM 7.3 | 7.3.1-86003-1 or above |
| DSM 7.2.2 | 7.2.2-72806-5 or above |
| DSM 7.2.1 | Not affected (build 69057) |
The fact that DSM 7.2.1 (build 69057) is explicitly listed as not affected suggests the vulnerable SAML SSO code was introduced or modified between the 7.2.1 and 7.2.2 branches, and the patches in 7.2.2-72806-5 and 7.3.1-86003-1 address this regression. Both patched firmware images are publicly available from Synology's archive site and can be applied through the standard DSM update mechanism (Package Center or DSM Update page).
Synology's advisory explicitly states that no workaround exists for this vulnerability. Patching is the only remediation.
Detection Methods
At the time of writing, there are no publicly available Sigma rules, YARA rules, or Snort/Suricata signatures specifically targeting CVE-2025-13392 exploitation. However, defenders have several practical options for identifying vulnerable systems and monitoring for suspicious activity.
Version Based Vulnerability Scanning (OpenVAS)
The most concrete publicly documented detection mechanism is a remote version check available through the OpenVAS scan engine. Pentest-Tools.com cataloged this as "Synology DiskStation Manager (DSM) Authentication Bypass Vulnerability (Synology-SA-25:14) — Remote Known Vulnerable Versions Check," with detection added on November 25, 2025. This check remotely fingerprints exposed DSM instances and compares their reported version against the known vulnerable range. Organizations running OpenVAS or Greenbone Vulnerability Management (GVM) should ensure their NVT feed is current to pick up this detection plugin.
Behavioral and Log Based Monitoring
While no vendor published log correlation rules or SIEM detection content exist, the technical details from ZDI-25-1040 and Synology's advisory provide enough context for defenders to build targeted monitoring. The following behavioral signals in DSM authentication logs warrant attention:
Unexpected SSO/SAML authentication events: Successful authentications through the SSO/SAML pathway on DSM instances where SSO is not actively configured or expected to be in use could indicate exploitation.
Authentication without standard precursors: Logins that succeed via the SAML authentication flow without a corresponding Identity Provider (IdP) redirect or assertion exchange may signal an attacker leveraging this flaw.
DN based authentication anomalies: Since exploitation requires knowledge of a valid DN, watch for authentication attempts referencing unusual or unexpected DN values, or patterns of attempts cycling through multiple DNs, which could indicate enumeration activity.
Network adjacent origin patterns: Both ZDI and Synology describe this as exploitable by network adjacent attackers without credentials. Authentication attempts originating from unexpected network segments or non standard source IPs within the local network are particularly relevant.
Asset Discovery and Exposure Assessment
Given the absence of exploit level detection signatures, identifying all exposed Synology DSM instances in your environment is a critical defensive step alongside patching. Defenders should use asset inventory tools or network scanners to enumerate DSM web interfaces (typically on ports 5000/HTTP and 5001/HTTPS) and verify whether any are running vulnerable DSM versions.
Affected Systems and Versions
The vulnerability affects the following Synology DiskStation Manager versions:
| Product | Vulnerable Versions | Fixed Version | Status |
|---|---|---|---|
| DSM 7.3 | All versions before 7.3.1-86003-1 | 7.3.1-86003-1 or above | Patched |
| DSM 7.2.2 | All versions before 7.2.2-72806-5 | 7.2.2-72806-5 or above | Patched |
| DSM 7.2.1 | 7.2.1-69057 | N/A | Not affected |
The PWN2OWN demonstration was performed against a Synology DiskStation DS925+ running a vulnerable DSM version. The vulnerability is present in any Synology NAS appliance (DiskStation, FlashStation, RackStation) running the affected DSM versions, as DSM is the common operating system across all Synology hardware platforms.
The explicit exclusion of DSM 7.2.1 indicates the vulnerable samlAuth alternate path was introduced as part of changes in the 7.2.2 code branch.
Vendor Security History
Synology has a notable pattern of appearing as a PWN2OWN target in consecutive years:
| Year | Advisory | ZDI Identifiers | Vulnerability Type |
|---|---|---|---|
| 2024 | Synology-SA-24:20 | ZDI-CAN-25403, ZDI-CAN-25613 | Remote code execution |
| 2025 | Synology-SA-25:14 | ZDI-CAN-28409 | SSO authentication bypass |
The recurrence of PWN2OWN exploits targeting DSM suggests that the authentication and SSO subsystems have been a consistent area of weakness in the product line. Beyond PWN2OWN findings, Synology has historically addressed CVEs across multiple DSM versions, including fixes for BlueBorne (CVE-2017-1000250, CVE-2017-1000251), libsoup, FFmpeg, cURL, and netatalk vulnerabilities.
Synology operates as a CVE Numbering Authority (CNA) and follows a coordinated disclosure policy. The company states: "To protect users, we do not publicly announce security vulnerabilities until fixes are publicly available, nor are the exact details of such vulnerabilities." For CVE-2025-13392, the advisory was initially published on November 19, 2025, with full vulnerability details disclosed on May 27, 2026, following a roughly six month coordinated disclosure timeline consistent with the PWN2OWN responsible disclosure process.
References
- Synology-SA-25:14 Security Advisory
- Synology-SA-25:14 (Brazil mirror)
- Synology-SA-25:14 (US mirror)
- ZDI-25-1040 Advisory
- CVE Record: CVE-2025-13392
- NVD Entry
- CWE-754: Improper Check for Unusual or Exceptional Conditions
- CWE-288: Authentication Bypass Using an Alternate Path or Channel
- CWE-289: Authentication Bypass by Alternate Name
- LOVI Vulnerability Intelligence: CVE-2025-13392
- Feedly CVE Tracker: CVE-2025-13392
- VulDB Entry: 334187
- HKCERT Security Bulletin
- Pentest-Tools.com OpenVAS Detection Check
- HawkEye Weekly Threat Landscape Digest, Week 48
- PWN2OWN Berlin 2025: Day One Results
- Pwn2Own Hacking Competition 2025 Review (Trend Micro)
- Synology-SA-24:20 DSM (PWN2OWN 2024)
- Synology Product Security Advisory Page
- PortSwigger: The Fragile Lock — Novel Bypasses For SAML Authentication
- GitHub Blog: Sign in as anyone — Bypassing SAML SSO authentication with parser differentials
- Obsidian Security: SSO Bypass Attack Techniques
- SynoForum Discussion: Synology-SA-25:14



