PatchSiren cyber security CVE debrief
CVE-2021-47960 Synology CVE debrief
A vulnerability in Synology SSL VPN Client versions prior to 1.4.5-0684 exposes files within the installation directory through a local HTTP server bound to the loopback interface. The flaw, classified as files or directories accessible to external parties (CWE-552), enables remote attackers to retrieve sensitive files—including configuration files, certificates, and logs—by inducing user interaction with a crafted web page. The attack requires network access and user interaction but no privileges, resulting in information disclosure with a medium severity CVSS 3.1 score of 6.5. The vulnerability was published in the CVE database on April 10, 2026, and last modified on May 29, 2026. Synology has addressed this issue in version 1.4.5-0684.
- Vendor
- Synology
- Product
- Synology SSL VPN Client
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-10
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-04-10
- Advisory updated
- 2026-05-29
Who should care
Organizations deploying Synology SSL VPN Client for remote access connectivity should prioritize this patch, as exposed certificates and configuration files could enable further compromise of VPN infrastructure or lateral movement. Security teams managing endpoint software inventories and patch management programs should ensure version 1.4.5-0684 or later is deployed. Incident response teams should assess whether sensitive files from affected installations may have been exfiltrated, particularly in environments where users may have browsed untrusted content while the VPN client was active.
Technical summary
The Synology SSL VPN Client runs a local HTTP server bound to the loopback interface (127.0.0.1) that serves files from its installation directory without adequate access controls. This allows any web page loaded in a user's browser to make requests to the loopback address and retrieve sensitive files, including configuration data, certificates, and log files. The attack is facilitated through standard web mechanisms such as cross-origin requests or embedded resources, requiring the attacker to lure or trick a user into visiting a malicious page while the SSL VPN Client is running. The confidentiality impact is rated high, though integrity and availability are not affected.
Defensive priority
medium
Recommended defensive actions
- Upgrade Synology SSL VPN Client to version 1.4.5-0684 or later to remediate this vulnerability.
- Restrict user access to untrusted web content and implement browser security controls to reduce the risk of user interaction with crafted malicious pages.
- Monitor for unusual local HTTP traffic on loopback interfaces, particularly from SSL VPN Client processes.
- Review and rotate any certificates or credentials that may have been exposed through affected installations prior to patching.
- Verify installation directory permissions do not allow broader file access than required by the application.
Evidence notes
The vulnerability description and affected product version are derived from the official NVD record. The vendor advisory from Synology (Synology_SA_26_05) provides the remediation version 1.4.5-0684. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N confirms network attack vector, low attack complexity, no privileges required, user interaction required, and high confidentiality impact with no integrity or availability impact.
Official resources
-
CVE-2021-47960 CVE record
CVE.org
-
CVE-2021-47960 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
This vulnerability involves an information disclosure weakness where a local HTTP service inadvertently serves files from the SSL VPN Client installation directory to the loopback interface. An attacker can exploit this by tricking a user—e