CVE-2024-5401

Description

Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote authenticated users to obtain privileges without consent via unspecified vectors.

CVSS v3.1 Score

4.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Weakness Type (CWE)

CWE-913 CWE-913

Affected Products

Vendor	Product	Versions
synology	diskstation_manager	7.2.1-69057 — 7.2.1-69057-2
synology	diskstation_manager	7.2.2-72803 — 7.2.2-72806
synology	diskstation_manager_unified_controller	3.1-23028 — 3.1.4-23079

References

Advisories & Patches

https://www.synology.com/en-global/security/advisory/Synology_SA_24_27

Frequently Asked Questions

What is CVE-2024-5401? +

Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote authenticated users to obtain privileges without consent via unspecified vectors. It has a CVSS v3.1 base score of 4.3 (MEDIUM).

How severe is CVE-2024-5401? +

CVE-2024-5401 has a CVSS v3.1 score of 4.3 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance.

What products are affected by CVE-2024-5401? +

CVE-2024-5401 affects products from synology, specifically: diskstation_manager, diskstation_manager_unified_controller. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2024-5401? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2026-48700

An issue was discovered in all versions of PCManFM-Qt starting from 1.1.0. When a regular file's path is passed as …

CVE-2025-13426

A vulnerability exists in Google Apigee's JavaCallout policy https://docs.apigee.com/api-platform/reference/policies/java-callout-policy that allows for remote code execution. It is possible for a …

CVE-2025-68613 9.9

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain …

CVE-2024-8953 9.8

In composiohq/composio version 0.4.3, the mathematical_calculator endpoint uses the unsafe eval() function to perform mathematical operations. This can lead to …

CVE-2024-5452 9.8

A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user …

CVE-2025-25270 9.8

An unauthenticated remote attacker can alter the device configuration in a way to get remote code execution as root with …