CVE-2024-47269

Vulnerability

The Export Key functionality in Synology Surveillance Station versions before 9.2.2-11575 (DSM 7.2 and 7.1) and 9.2.2-9575 (DSM 6.2) transmits sensitive information in cleartext [1]. This is classified as CWE-319: Cleartext Transmission of Sensitive Information. The vulnerability affects the Export Key feature, which is used to export cryptographic key material or other sensitive data. The issue is present in all supported platform versions prior to the fixes.

Exploitation

An attacker must be a remote authenticated user with administrator privileges to access the Export Key functionality [1]. No user interaction is required beyond the attacker's own admin session. The exploitation vector is network-based (AV:N) with low attack complexity (AC:L) [1]. The attacker can trigger the export and intercept the cleartext transmission over the network using standard traffic capture techniques.

Impact

Successful exploitation allows an administrator-level attacker to obtain sensitive information in cleartext. The confidentiality impact is high (C:H) as the exposed data could include cryptographic keys or other secrets, while integrity and availability are not affected (I:N/A:N) [1]. The CVSS v3 base score is 4.9 (Medium).

Mitigation

Synology released fixed versions: upgrade Surveillance Station to 9.2.2-11575 or later for DSM 7.2 and 7.1, and to 9.2.2-9575 or later for DSM 6.2 [1]. No workarounds are provided in the advisory; upgrading is the recommended mitigation. This CVE is not listed in the KEV catalog as of the publication date.