Executive Summary

CVE-2026-24724 is an incorrect authorization flaw in Synology File Station 6 that allows a remote attacker who has obtained any valid user account to bypass intended access restrictions and reach files outside their permission scope. In OT environments where File Station instances act as shared repositories for engineering backups, PLC project files, HMI configurations, and as-built drawings, this turns a low-privilege foothold into broad access over the documentation that defines how a plant operates.

Technical Exposure Breakdown

The vulnerable component is the File Station 6 application running on Synology DiskStation Manager appliances. The defect is a broken authorization check, meaning the application authenticates the user correctly but fails to enforce the per-share or per-folder permission boundary that was configured. Authentication is a precondition, so this is not an unauthenticated internet drive-by. The attacker first needs a user account, which in practice is supplied through credential reuse, phishing of a contractor login, a default or weak service account, or lateral movement from a compromised engineering workstation already inside the OT DMZ.

Once a session is established, the flaw lets the attacker request resources that the access control layer should have denied. Incorrect authorization classes typically resolve to one of three behaviors: a missing ownership check on a file operation, a path or share identifier that is trusted from the client without revalidation, or an API endpoint that enforces authentication but not authorization. Any of these permits horizontal privilege escalation across user boundaries and, depending on share layout, vertical access into administrative or cross-department directories.

Synology has remediated the issue, with File Station 5 patched at version 5.5.6.5243 and later. No CVSS score was assigned in the advisory and the vulnerability is not currently in the known exploited vulnerability catalog, but absence from that catalog is not evidence of safety. It is evidence that public exploitation has not yet been confirmed.

OT Impact and Compliance Risk

NAS appliances are rarely treated as critical assets, yet in many plants they hold the single authoritative copy of PLC logic, drive parameters, alarm databases, and recovery images. An attacker reading those files gains a map of the control system without ever touching a controller. An attacker who can also write to those repositories can poison the backups and project files that engineers restore from during an incident, which converts a confidentiality problem into an integrity and availability problem on the next maintenance cycle.

Under IEC 62443, this is a failure of the access control foundational requirement (FR 2) and undermines zone and conduit segmentation assumptions if the appliance straddles the IT and OT boundary. For NERC CIP entities, a NAS holding BES Cyber System information falls under CIP-011 information protection and CIP-005 electronic security perimeter scoping, and improper access enforcement is a reportable control failure. Water and wastewater operators governed by AWIA 2018 risk exposure of SCADA documentation that feeds their risk and resilience assessments. Pipeline operators under TSA SD-02C should treat any shared file service crossing the critical cyber system boundary as in scope for access control verification.

Compensating Controls

Patching the appliance is the endpoint, but OT change windows are slow, so apply layered controls now. First, do not perform active scanning to confirm the version against production-adjacent appliances without an offline test; aggressive enumeration of NAS services has caused storage controllers to fault. Pull versions from configuration records or passive identification instead.

Validate every change in a test environment before touching production storage, because a faulted NAS during a recovery event is its own outage.

BreachSpider Intel

BreachSpider tracks authorization and access control defects across OT-adjacent appliances and maps them to your asset inventory, so monitor CVE-2026-24724 and related exposure through the BreachSpider platform.