CVE-2024-47272

Vulnerability

An incorrect authorization vulnerability exists in the IO Module functionality of Synology Surveillance Station, as described in advisory Synology_SA_24_25 [1]. This flaw affects versions before 9.2.2-11575 (for DSM 7.2 and 7.1) and before 9.2.2-9575 (for DSM 6.2) [1]. The issue arises from improper authorization checks, allowing remote authenticated users with administrator privileges to write files under unspecified conditions within the IO Module [1].

Exploitation

Exploitation requires a remote attacker to have valid administrator credentials and network access to the Surveillance Station instance [1]. The exact sequence of steps is not disclosed by Synology, and the vector is limited to file write operations under unspecified vectors within the IO Module [1]. No user interaction beyond authentication is required.

Impact

Successful exploitation leads to limited file write access for an authenticated administrator, which could be used to modify certain system or configuration files within the affected product [1]. The severity is rated Low with a CVSS v3 base score of 2.7, reflecting the high privileges required and the limited scope of the write capability. The primary impact is on the integrity of the system, though the exact scope of writable files is not specified.

Mitigation

Synology has released fixed versions: upgrade to version 9.2.2-11575 or above for DSM 7.2 and 7.1, and to version 9.2.2-9575 or above for DSM 6.2 [1]. The advisory states “Mitigation: None” [1], indicating no workaround is available; users should apply the patch promptly.