Cyber Posture

CVE-2024-11131

Critical

Published: 19 March 2025

Published
19 March 2025
Modified
16 January 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0933 92.8th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2024-11131 is an out-of-bounds read vulnerability (CWE-125) in the video interface of Synology Camera Firmware. It affects the BC500, CC400W, and TC500 models running versions prior to 1.2.0-0525. Published on 2025-03-19, the flaw has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and enables remote attackers to execute arbitrary code via unspecified vectors.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and without requiring user interaction. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, allowing arbitrary code execution on affected devices.

Synology Security Advisory SA_24_24 details mitigation, with the vulnerability fixed in firmware version 1.2.0-0525. Affected users should update to this version or later; see https://www.synology.com/en-global/security/advisory/Synology_SA_24_24 for full guidance.

Details

CWE(s)
CWE-125

Affected Products

synology
bc500 firmware
≤ 1.2.0-0525
synology
cc400w firmware
≤ 1.2.0-0525
synology
tc500 firmware
≤ 1.2.0-0525

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Out-of-bounds read in public-facing video interface enables remote unauthenticated RCE on camera firmware, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References