Missing Authentication Vulnerability in Synology Drive Server
CVE-2024-50630

7.5HIGH

Key Information:

Vendor: Synology
Status: Synology Drive Server
Vendor: CVE Published:; 19 March 2025

Summary

A vulnerability within the webapi component of Synology Drive Server exposes critical functions without proper authentication. This flaw allows remote attackers to gain unauthorized access to administrator credentials through unspecified attack vectors, potentially compromising system integrity and confidentiality. Users are advised to update to the latest versions to mitigate any risks associated with this vulnerability.

Affected Version(s)

Synology Drive Server *

Synology Drive Server * < 3.0.4-12699

Synology Drive Server * < 3.5.1-26102

References

https://www.synology.com/en-global/security/advisory/Syno...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 19, 2025
Vulnerability Reserved
Oct 28, 2024

Credit

Pumpkin Chang (@u1f383) and Orange Tsai (@orange_8361) from DEVCORE Research Team