CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-29241

CVSS 9.9v3.1pub. 2024-03-28upd. 2025-08-12

Missing authorization vulnerability in System webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain non-sensitive information, write sensitive configurations in DSM, and reboot or shutdown NAS via unspecified vectors.

🤖 AI Analysis
How it works

The System webapi component in Synology Surveillance Station does not enforce proper authorization verification before executing specific requests. An authenticated remote user without appropriate administrative privileges can send requests to the vulnerable API without additional authorization. As a result, it is possible to write sensitive configurations in the DSM (DiskStation Manager) system and initiate a restart or shutdown of the NAS device.

Impact

An attacker with any user account can overwrite sensitive DSM configuration settings, force a restart or shutdown of the NAS device, and read undefined system information. These actions may lead to service availability disruption and system integrity violation.

Mitigation & patch

Synology Surveillance Station should be updated to version 9.2.0-9289 or 9.2.0-11289 (or newer), in accordance with the manufacturer's recommendations described in the Synology_SA_24_04 bulletin available at https://www.synology.com/en-global/security/advisory/Synology_SA_24_04.

Who is affected

Synology Surveillance Station in versions prior to 9.2.0-9289 and prior to 9.2.0-11289, running on Synology DiskStation Manager (DSM).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
  • Synology Diskstation Manager

    OS
    Synology
    6.27.17.2
  • Synology Surveillance Station

    APP
    Synology
    < 9.2.0-9289< 9.2.0-11289
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2024-45538CRITICAL9.6PL ✓ten sam produkt

CSRF umożliwiający RCE w Synology DiskStation Manager i Unified Controller

CVE-2024-10442CRITICAL10.0PL ✓ten sam produkt

RCE przez błąd off-by-one w komponencie transmisji Synology Replication Service

CVE-2024-10441CRITICAL9.8PL ✓ten sam produkt

RCE w Synology BeeStation OS i DSM — błąd kodowania wyjścia w systemowym daemonie

CVE-2024-10443CRITICAL9.8PL ✓ten sam produkt

OS Command Injection w Synology BeePhotos i Synology Photos — RCE bez uwierzytelnienia

CVE-2022-27625CRITICAL10.0ten sam produkt

A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in ...