Arbitrary Command Execution Vulnerability in Synology Camera Firmware

CVE-2024-39351

7.2HIGH

Key Information

Vendor: Synology
Status: Camera Firmware
Vendor: CVE Published:; 28 June 2024

Summary

A vulnerability regarding improper neutralization of special elements used in an OS command ('OS Command Injection') is found in the NTP configuration. This allows remote authenticated users with administrator privileges to execute arbitrary commands via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500.

Affected Version(s)

Camera Firmware <= 1.0

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Jun 28, 2024
Vulnerability Reserved.
Jun 24, 2024

Collectors

NVD DatabaseMitre Database

Credit

Jaehoon Jang, Wonbeen Im, STEALIEN(https://stealien.com)