CVE-2022-27623 is a high-severity vulnerability identified in Synology's DiskStation Manager (DSM), specifically affecting the iSCSI management functionality prior to version 7.1-42661. The core issue is a missing authentication requirement for critical functions within the iSCSI management interface. This flaw allows remote attackers to bypass authentication controls and perform unauthorized read or write operations on arbitrary files within the affected system. The vulnerability is classified under CWE-306, which refers to missing authentication for critical functions, indicating that the system does not properly verify the identity or permissions of users attempting to access sensitive operations. The CVSS v3.1 base score is 7.4, reflecting a high severity level, with the attack vector being network-based (AV:N), requiring no privileges (PR:N) and no user interaction (UI:N). However, the attack complexity is high (AC:H), suggesting some conditions or knowledge are necessary to exploit the vulnerability. The impact on confidentiality and integrity is high (C:H, I:H), while availability is not affected (A:N). Although no known exploits are reported in the wild, the vulnerability poses a significant risk due to the ability to manipulate files remotely without authentication. The lack of authentication on iSCSI management functions could allow attackers to compromise stored data, alter configurations, or potentially pivot to other parts of the network. The absence of detailed affected version information beyond being prior to 7.1-42661 suggests that all earlier DSM versions with iSCSI enabled are at risk. Given the critical role of Synology DSM in managing network-attached storage devices, this vulnerability could have serious consequences if exploited.

For European organizations, the impact of CVE-2022-27623 can be substantial, especially for those relying on Synology NAS devices for data storage, backup, and virtualization infrastructure. The ability for remote attackers to read or write arbitrary files without authentication threatens the confidentiality and integrity of sensitive corporate data, intellectual property, and personal information protected under GDPR. Unauthorized file manipulation could lead to data breaches, regulatory fines, and loss of customer trust. Furthermore, altered configurations or corrupted storage could disrupt business continuity, impacting availability indirectly through operational downtime. Organizations in sectors such as finance, healthcare, government, and critical infrastructure, which often use Synology devices for secure storage, are particularly vulnerable. The high attack complexity may limit widespread exploitation, but targeted attacks by skilled adversaries remain a concern. The lack of known exploits in the wild does not preclude future exploitation, emphasizing the need for proactive mitigation. Additionally, the vulnerability could be leveraged as a foothold for lateral movement within corporate networks, increasing the risk of broader compromise.

To mitigate CVE-2022-27623, European organizations should immediately upgrade Synology DSM to version 7.1-42661 or later, where the vulnerability has been addressed. If upgrading is not immediately feasible, organizations should disable the iSCSI management service or restrict its network access using firewall rules to limit exposure to trusted management networks only. Implement network segmentation to isolate NAS devices from general user networks and the internet. Employ strong access controls and monitoring on NAS devices, including enabling logging and alerting for unusual file access or configuration changes. Conduct regular audits of NAS device configurations and access permissions. Additionally, organizations should review and enforce strict authentication policies for all management interfaces and consider deploying intrusion detection/prevention systems to detect anomalous activities targeting NAS devices. Finally, maintain an up-to-date asset inventory to ensure all Synology devices are identified and patched promptly.