A severe vulnerability in Synology’s DiskStation Manager (DSM) allows remote attackers to execute arbitrary code with no user interaction.

The flaw, disclosed during PWN2OWN 2024, received a Critical severity rating with a CVSS score of 9.8, indicating its potential for widespread exploitation.

The primary vulnerability, identified as CVE-2024-10441, stems from improper encoding or escaping of output in the system plugin daemon.