Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2021-47960

CVE-2021-47960: Synology SSL VPN Client Info Disclosure

CVE-2021-47960 is an information disclosure vulnerability in Synology SSL VPN Client that allows remote attackers to access sensitive files via a local HTTP server. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2021-47960 Overview

CVE-2021-47960 is a files or directories accessible to external parties vulnerability (CWE-552) affecting Synology SSL VPN Client before version 1.4.5-0684. This vulnerability allows remote attackers to access files within the installation directory via a local HTTP server bound to the loopback interface. By leveraging user interaction with a crafted web page, attackers may retrieve sensitive files such as configuration files, certificates, and logs, leading to information disclosure.

Critical Impact

Remote attackers can exfiltrate sensitive VPN configuration files, certificates, and logs through a crafted web page, potentially compromising VPN credentials and enabling further network attacks.

Affected Products

  • Synology SSL VPN Client versions before 1.4.5-0684

Discovery Timeline

  • 2026-04-10 - CVE CVE-2021-47960 published to NVD
  • 2026-04-13 - Last updated in NVD database

Technical Details for CVE-2021-47960

Vulnerability Analysis

The vulnerability exists in how Synology SSL VPN Client implements its local HTTP server component. The application binds an HTTP server to the loopback interface (127.0.0.1 or localhost) for internal communication purposes. However, due to improper access controls, this server fails to adequately restrict which files can be served from the installation directory.

When a user visits a malicious web page, JavaScript executing in the browser can make requests to the localhost server. Because the HTTP server does not properly validate or restrict file access requests, an attacker can craft requests that retrieve arbitrary files from within the VPN client's installation directory. This design flaw enables the exposure of sensitive configuration data, authentication certificates, and operational logs.

Root Cause

The root cause is classified as CWE-552 (Files or Directories Accessible to External Parties). The local HTTP server fails to implement proper access controls or path restrictions, allowing external web content to request and retrieve files that should remain protected. The vulnerability relies on the browser's ability to make cross-origin requests to localhost services, combined with insufficient file access validation on the server side.

Attack Vector

The attack leverages social engineering combined with browser-based exploitation. An attacker crafts a malicious web page containing JavaScript code designed to probe the victim's localhost for the vulnerable Synology SSL VPN Client HTTP server. When the victim browses to this page, the script silently makes requests to retrieve sensitive files from the VPN client's installation directory.

The attack requires user interaction—specifically, the victim must visit the attacker-controlled web page while the Synology SSL VPN Client is running. Files that may be exposed include VPN configuration files containing server addresses and settings, authentication certificates used for VPN connections, and log files that may contain connection history and diagnostic information.

Detection Methods for CVE-2021-47960

Indicators of Compromise

  • Unusual HTTP requests to localhost ports typically used by Synology SSL VPN Client
  • Web browser logs showing cross-origin requests to 127.0.0.1 or localhost from external domains
  • Unexpected file access events within the Synology SSL VPN Client installation directory

Detection Strategies

  • Monitor for anomalous localhost HTTP traffic patterns, particularly requests originating from browser processes
  • Implement browser-level security controls to restrict cross-origin requests to localhost services
  • Deploy endpoint detection solutions to identify suspicious file access patterns targeting VPN configuration directories

Monitoring Recommendations

  • Enable detailed logging for the Synology SSL VPN Client application
  • Monitor network connections from browser processes to localhost addresses
  • Implement file integrity monitoring on VPN client configuration and certificate directories

How to Mitigate CVE-2021-47960

Immediate Actions Required

  • Update Synology SSL VPN Client to version 1.4.5-0684 or later immediately
  • Review VPN configuration files and certificates for potential unauthorized access
  • Consider rotating VPN certificates if exposure is suspected
  • Implement browser security policies that restrict localhost access from external origins

Patch Information

Synology has released a security update addressing this vulnerability in Synology SSL VPN Client version 1.4.5-0684. Users should apply this update as soon as possible. For detailed information, refer to the Synology Security Advisory SA-26-05.

Workarounds

  • Disable or stop the Synology SSL VPN Client when not actively in use
  • Use browser extensions that block cross-origin requests to localhost addresses
  • Implement host-based firewall rules to restrict access to the local HTTP server port
  • Consider using browser profiles or containers to isolate browsing sessions when the VPN client is active

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.