CVE-2024-10441
Published: 19 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-10441 is an improper encoding or escaping of output vulnerability, classified under CWE-116, affecting the system plugin daemon in Synology BeeStation OS (BSM) versions prior to 1.1-65374 and Synology DiskStation Manager (DSM) versions prior to 7.2-64570-4, 7.2.1-69057-6, and 7.2.2-72806-1. Published on 2025-03-19, this flaw enables remote attackers to execute arbitrary code through unspecified vectors. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critically severe due to its potential for widespread remote exploitation.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network, making it highly accessible with low attack complexity. Successful exploitation allows arbitrary code execution on affected systems, resulting in high impacts across confidentiality, integrity, and availability, which could lead to complete compromise of the targeted Synology devices.
Synology security advisories SA_24_20 and SA_24_23 provide details on mitigation, with patches available in BSM 1.1-65374 and the specified DSM versions (7.2-64570-4, 7.2.1-69057-6, 7.2.2-72806-1). Administrators should apply these updates promptly to affected systems.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a critical remote code execution vulnerability (CWE-116) in the public-facing system plugin daemon of Synology DSM/BSM, directly enabling initial access via T1190 Exploit Public-Facing Application with no authentication required.