CISA Alert March 19, 2025: Synology Products

synology camera firmware
CISA recently issued alerts regarding critical vulnerabilities in several Synology products, including camera firmware. These vulnerabilities, if exploited, could allow remote attackers to execute arbitrary code, which could lead to significant system-wide impacts.

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD).  NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High: vulnerabilities with a CVSS base score of 7.0–10.0
  • Medium: vulnerabilities with a CVSS base score of 4.0–6.9
  • Low: vulnerabilities with a CVSS base score of 0.0–3.9

Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis. 

VULNERABILITIES

Here are the latest Known Exploited Vulnerabilities including Synology products recently released by CISA in conjunction with the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD).

Vendor/Product:  SynologyUnified Controller (DSMUC)

Description:  Off-by-one error vulnerability in the transmission component in Synology Replication Service before 1.0.12-0066, 1.2.2-0353 and 1.3.0-0423 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code, potentially leading to a broader impact across the system via unspecified vectors.

Impact:  Remote attackers to execute arbitrary code, potentially leading to a broader impact across the system via unspecified vectors.

Source: CVE-2024-10442

Max Severity:  High

CVSS Score: 9.8

Mitigation:   To protect users, Synology does not publicly announce security vulnerabilities until fixes are publicly available, nor are the exact details of such vulnerabilities released. Once fixes are available, vulnerabilities shall be announced on Synology's official website.

Vendor/Product:  Synology DiskStation Manager (DSM)
Description:  Improper encoding or escaping of output vulnerability in the system plugin daemon in Synology BeeStation Manager (BSM) before 1.1-65374 and Synology DiskStation Manager (DSM) before 7.2-64570-4, 7.2.1-69057-6 and 7.2.2-72806-1.

Impact:  Remote attackers can execute arbitrary code, potentially leading to a broader impact across the system via unspecified vectors.

Source: CVE-2024-10441

Max Severity:  High

CVSS Score: 9.8

Mitigation:   To protect users, Synology does not publicly announce security vulnerabilities until fixes are publicly available, nor are the exact details of such vulnerabilities released. Once fixes are available, vulnerabilities shall be announced on Synology's official website.

Vendor/Product:  Synology Camera Firmware
Description:  A vulnerability regarding out-of-bounds read is found in the video interface. This allows remote attackers to execute arbitrary code via unspecified vectors. The following models with Synology Camera Firmware versions before 1.2.0-0525 may be affected: BC500, CC400W and TC500.

Impact:  This allows remote attackers to execute arbitrary code via unspecified vectors.

Source: CVE-2024-11131

Max Severity:  High

CVSS Score: 9.8

Mitigation:   To protect users, Synology does not publicly announce security vulnerabilities until fixes are publicly available, nor are the exact details of such vulnerabilities released. Once fixes are available, vulnerabilities shall be announced on Synology's official website.

Who’s watching your firmware?