CVE-2024-50630
Published: 19 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
Security Summary
CVE-2024-50630 is a missing authentication for critical function vulnerability (CWE-306) in the webapi component of Synology Drive Server. It affects versions prior to 3.0.4-12699, 3.2.1-23280, 3.5.0-26085, and 3.5.1-26102. The vulnerability enables remote attackers to obtain administrator credentials via unspecified vectors. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high confidentiality impact from network-based attacks with low complexity and no required privileges or user interaction.
Remote unauthenticated attackers can exploit this vulnerability over the network to access the webapi component and retrieve administrator credentials. Successful exploitation grants attackers sensitive authentication data, potentially enabling further unauthorized access, privilege escalation, or complete compromise of the Synology Drive Server environment.
Synology security advisory SA_24_21, available at https://www.synology.com/en-global/security/advisory/Synology_SA_24_21, provides details on mitigation, including patches that address the issue in the specified fixed versions of Synology Drive Server. Security practitioners should apply these updates promptly to vulnerable installations.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Missing authentication in webapi component allows remote unauthenticated access to obtain admin credentials, directly enabling exploitation of public-facing application (T1190) for credential access (T1212).