CVE-2024-47271

Vulnerability

CVE-2024-47271 is an insufficiently protected credentials vulnerability located in the IPSpeaker component of Synology Surveillance Station. The flaw affects Surveillance Station versions before 9.2.2-11575 (for DSM 7.2 and 7.1) and before 9.2.2-9575 (for DSM 6.2) [1]. The vulnerability arises because the component does not adequately protect credentials, as classified under CWE-522 [1]. The exact mechanism is described as “unspecified vectors,” but the component’s handling of authentication data is clearly flawed [1].

Exploitation

To exploit this vulnerability, an attacker must first be a remote authenticated user with administrator privileges [1]. The attack vector is network-based with low attack complexity, requiring no user interaction [1]. The precise sequence of steps is not detailed, but the attacker would leverage the IPSpeaker component’s insufficient protection to extract credentials or other sensitive authentication material [1].

Impact

Successful exploitation results in the disclosure of confidential information, specifically credentials or other sensitive data protected by the component, with a high impact on confidentiality [1]. The CVSS v3 base score of 4.9 (Medium) reflects this, with a vector of AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N [1]. The attacker can obtain sensitive information but cannot modify or disrupt system operations [1].

Mitigation

Synology has released fixed versions: upgrade to Surveillance Station 9.2.2-11575 for DSM 7.2 and 7.1, or 9.2.2-9575 for DSM 6.2 [1]. No workaround is provided in the advisory, and the vulnerability is not listed on the CISA KEV catalog. Users should apply the update immediately to mitigate the risk [1].