CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-10443

CVSS 9.8v3.1pub. 2024-11-15upd. 2025-09-16

Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Task Manager component in Synology BeePhotos before 1.0.2-10026 and 1.1.0-10053 and Synology Photos before 1.6.2-0720 and 1.7.0-0795 allows remote attackers to execute arbitrary code via unspecified vectors.

🤖 AI Analysis
How it works

The vulnerability results from improper neutralization of special characters in operating system commands (CWE-78, CWE-77) in the Task Manager component. An attacker can transmit crafted input over the network without any authentication and without user interaction, which will be passed directly to the system shell. As a result, arbitrary commands can be executed at the operating system level on the device.

Impact

An attacker can gain full control of the device, obtaining confidentiality, integrity, and availability of the system — including the ability to read and modify data, install malicious software, and disrupt services.

Mitigation & patch

Synology BeePhotos must be immediately updated to version 1.0.2-10026 or 1.1.0-10053 (and newer) and Synology Photos to version 1.6.2-0720 or 1.7.0-0795 (and newer). Detailed information is available in the vendor's security bulletins: Synology_SA_24_18 and Synology_SA_24_19.

Who is affected

Synology BeePhotos in versions before 1.0.2-10026 and before 1.1.0-10053; Synology Photos in versions before 1.6.2-0720 and before 1.7.0-0795.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Synology Beephotos

    APP
    Synology
    < 1.1.0-10053< 1.0.2-10026
  • Synology Beestation Os

    OS
    Synology
    1.01.1
  • Synology Diskstation Manager

    OS
    Synology
    7.27.2.2
  • Synology Photos

    APP
    Synology
    < 1.7.0-0795< 1.6.2-0720
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCECommand Injection
CWE
References

Related vulnerabilities

CVE-2025-12686CRITICAL9.8PL ✓ten sam produkt

Classic Buffer Overflow w Synology BeeStation OS — zdalne wykonanie kodu

CVE-2024-45538CRITICAL9.6PL ✓ten sam produkt

CSRF umożliwiający RCE w Synology DiskStation Manager i Unified Controller

CVE-2024-10441CRITICAL9.8PL ✓ten sam produkt

RCE w Synology BeeStation OS i DSM — błąd kodowania wyjścia w systemowym daemonie

CVE-2024-10442CRITICAL10.0PL ✓ten sam produkt

RCE przez błąd off-by-one w komponencie transmisji Synology Replication Service

CVE-2024-29241CRITICAL9.9PL ✓ten sam produkt

Brak autoryzacji w Synology Surveillance Station — zapis konfiguracji i restart NAS