Synology discloses SSL VPN Client flaws that can expose files and enable traffic interception

Synology has warned users about two important vulnerabilities in its SSL VPN Client that could let remote attackers read sensitive local files or interfere with VPN traffic. Both issues affect Synology SSL VPN Client versions earlier than 1.4.5-0684, and Synology says users should upgrade immediately because no workaround exists.

The two bugs are CVE-2021-47960 and CVE-2021-47961. Synology rates both as Important, but the second flaw carries the higher CVSS score at 8.1, compared with 6.5 for the file-access issue.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

The attack path also matters here. Synology says both vulnerabilities require user interaction with a crafted web page, which means the flaws are not simply exposed for silent internet-wide exploitation. At the same time, that condition does not remove the risk, especially in environments where users browse while connected to corporate VPN resources.

What each vulnerability does

CVE-2021-47960 allows remote attackers to access files from the SSL VPN Client installation directory through a local HTTP server bound to the loopback interface. Synology says attackers may retrieve configuration files, certificates, and logs if they can lure a user to interact with a malicious web page while the vulnerable client is present.

CVE-2021-47961 stems from plaintext password storage. According to Synology, the flaw can let remote attackers access or influence the user’s PIN code, which may then lead to unauthorized VPN configuration and possible interception of later VPN traffic.

Taken together, the two bugs create a more serious picture than either issue alone. One can expose local VPN-related files, while the other can tamper with PIN-related trust and setup. That combination could help an attacker move from information theft to session interference. This last point is an inference based on Synology’s impact descriptions.

Why this deserves quick patching

Synology’s advisory is unusually direct on remediation. The company says there are no temporary mitigations and instructs customers to upgrade to version 1.4.5-0684 or above.

That fixed version has existed since June 23, 2022, according to Synology’s release notes. The April 2026 advisory therefore looks less like a brand-new patch drop and more like a public disclosure of older fixed issues that some users may still have left unpatched.

Synology also credits researcher Laurent Sibilla with reporting the vulnerabilities. The company published the advisory on April 10, 2026 and marked its status as resolved.

Vulnerabilities at a glance

Source: Synology advisory, NVD, and CVE record.

What admins and users should do now

• Upgrade Synology SSL VPN Client to version 1.4.5-0684 or later.
• Treat systems running older builds as exposed if users can be lured to malicious web content while the client is installed.
• Review whether sensitive certificates, logs, or configuration files may have been accessible on endpoints running outdated clients. This is a practical response based on Synology’s description of CVE-2021-47960.
• Check for unexpected VPN configuration changes or anomalies that could point to PIN abuse tied to CVE-2021-47961. This is a practical recommendation based on the stated impact.
• Remind users not to open untrusted pages while connected to corporate VPN environments, because user interaction is part of the exploit chain for both flaws.

FAQ