Synology has released an emergency security patch for its DiskStation Manager (DSM) operating system to address CVE-2026-32746, a critical unauthenticated remote code execution vulnerability rooted in the telnetd component of the GNU Inetutils package.
The flaw carries a CVSS v3 base score of 9.8, one of the highest possible severity ratings, and enables any remote, unauthenticated attacker to execute arbitrary operating system commands on a vulnerable NAS device.
Organizations and individuals running affected DSM versions should immediately apply the available patches or implement the prescribed mitigation measures.
Tracked under security advisory Synology-SA-26:03, this vulnerability is the result of a classic buffer overflow defect (CWE-120) in the LINEMODE SLC suboption handler.
The flaw has broad real-world implications, as Synology NAS devices are widely deployed in both enterprise and home environments for storing critical data, system backups, and sensitive business information.
DiskStation Manager Vulnerability
The vulnerability, CVE-2026-32746, originates in the telnetd service of GNU Inetutils, a legacy suite of network utilities that includes a Telnet daemon.
The flaw affects all versions of GNU Inetutils up to and including version 2.7. It is a memory corruption issue caused by an out-of-bounds write condition in the add_slc() function within the LINEMODE Set Local Characters (SLC) suboption handler.
The root cause is a failure to verify whether the internal buffer is full before copying incoming data, a textbook instance of CWE-120 (Buffer Copy without Checking Size of Input).
An attacker can trigger this out-of-bounds write by sending specially crafted Telnet negotiation packets to the exposed service on TCP port 23. Since no prior authentication is required and the attack requires no user interaction, the CVSS vector score reflects maximum network exploitability: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Successful exploitation grants full control over the targeted system, with potential impacts spanning complete confidentiality loss, system integrity compromise, and service disruption.
| CVE ID | CVE-2026-32746 |
| Severity | Critical |
| CVSS3 Base Score | 9.8 / 10.0 |
| CVSS3 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE Classification | CWE-120: Buffer Copy without Checking Size of Input (Classic Buffer Overflow) |
| Attack Vector | Network (No authentication required, no user interaction) |
Affected Products
The following Synology products have been evaluated for exposure to CVE-2026-32746. Critically rated versions require immediate patching. Platforms listed as ‘Not Affected’ do not expose the vulnerable telnetd component.
| Product | Severity | Fixed Release Availability |
| DSM 7.3 | Critical | Upgrade to 7.3.2-86009-3 or above |
| DSM 7.2.2 | Critical | Upgrade to 7.2.2-72806-8 or above |
| DSM 7.2.1 | Critical | Upgrade to 7.2.1-69057-11 or above |
| DSMUC 3.1 | Critical | Ongoing — patch in development |
| BeeStation OS 1.4 | Not Affected | N/A |
| SRM 1.3 | Not Affected | N/A |
| VS600HD 1.2 | Not Affected | N/A |
Note: DSMUC 3.1 (Unified Controller) remains in active remediation. Administrators should monitor Synology’s official security advisories for the release date and apply the patch immediately upon availability.
The severity of CVE-2026-32746 is amplified by the deployment profile of Synology NAS devices. These systems are commonly positioned as centralized storage hubs in small and medium businesses, healthcare environments, and home networks — often holding backups, sensitive databases, multimedia libraries, and confidential documents.
A successful exploit would allow an attacker to:
- Execute arbitrary OS commands with the privileges of the telnetd process
- Deploy ransomware to encrypt stored data and demand payment
- Exfiltrate confidential business and personal data silently
- Establish persistent backdoors or implant malware for long-term access
- Conduct lateral movement within internal corporate networks
- Disrupt business continuity by corrupting or deleting critical files
This vulnerability is closely related to a broader class of critical telnetd flaws in GNU Inetutils that have been under active exploitation since early 2026.
Security researchers at TXOne Networks documented coordinated exploitation campaigns targeting Telnet services globally, identifying over 214,000 internet-exposed hosts running Telnet with attack waves shifting from reconnaissance to full weaponization.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a related GNU Inetutils flaw to its Known Exploited Vulnerabilities (KEV) catalog in January 2026.
At its core, CVE-2026-32746 is a stack or heap buffer overflow caused by the add_slc() function in the LINEMODE SLC handler of GNU Inetutils telnetd.
During Telnet option negotiation, the client and server exchange LINEMODE suboptions to configure terminal character handling (e.g., interrupt keys, erase characters). The SLC data structure maps control characters to their negotiated handling modes.
The add_slc() function processes incoming SLC buffers during this negotiation phase. Because it does not validate whether the target buffer has available space before writing, a remote client can send an oversized or malformed SLC data block to trigger an out-of-bounds write.
This memory corruption can overwrite adjacent memory regions potentially including function pointers, return addresses, or other control data enabling arbitrary code execution at the privilege level of the telnetd process.
The primary recommended action is to apply the official Synology security updates for all affected DSM versions as listed in the Affected Products table above.
Patches can be applied through the Synology DSM web interface or via automatic update mechanisms where enabled.
For systems where patching cannot be performed immediately particularly DSMUC 3.1 awaiting a fix Synology strongly recommends disabling the Telnet service entirely. This eliminates the attack vector and prevents exploitation until a patch is available.
To disable the Telnet service on Synology DSM:
- Log into the DSM web interface with administrator credentials
- Navigate to Control Panel > Terminal & SNMP
- Uncheck the Enable Telnet service checkbox
- Click Apply to save changes.
Site: https://cybersecuritypath.com/
About the Author
