Synology DSM 7.3.2 has a serious local privilege escalation vulnerability that allows authenticated users to gain root access when the DownloadStation with BitTorrent is enabled. The exploit hinges on three misconfigurations: a world-writable Transmission socket located at `/tmp/synodl_transmission.sock`, a world-writable system directory at `/volume1/@eaDir/`, and the absence of the `nosuid` mount flag for `/volume1`. While non-admin users are generally safe, any user with shell access can exploit these issues to gain full system control. The attacker can place a malicious script in the `@eaDir` directory, which is writable by any user. By configuring Transmission to execute this script when a torrent completes, the attacker can effectively run any command with root privileges. The article outlines a step-by-step process to achieve this, including setting up the script, connecting to the Transmission socket, and triggering the execution through a torrent completion event. Once executed, the script creates a SUID root shell, granting the attacker complete access to the system. Three specific security issues combine to create this vulnerability. The world-writable socket allows any user to send RPC commands to Transmission, the writable directory permits anyone to place executable files, and the missing `nosuid` flag means SUID binaries retain their privileges. The impact of this exploit is significant, as it could allow an attacker to access sensitive files, modify system settings, or even deploy ransomware. The author recommends several mitigations for Synology, including running the Transmission daemon as a non-root user and tightening permissions on the socket and directory.