Synology has updated its security advisories to disclose details of a critical vulnerability affecting its camera firmware. The vulnerability allows remote attackers to execute arbitrary code or commands on susceptible Synology cameras.
The vulnerability impacts the following Synology camera products:
The severity of the vulnerability is rated as Critical, with a CVSS3 Base Score of 9.8.
The vulnerability, identified as CVE-2024-11131, is described as an out-of-bounds read issue found in the video interface. This vulnerability can be exploited by remote attackers to execute arbitrary code via unspecified vectors.
The vulnerability was reported by PWN2OWN 2024 (ZDI-CAN-25538).
Synology has addressed the vulnerability in firmware version 1.2.0-0525. Users of the affected camera models (BC500, CC400W, and TC500) are advised to upgrade to this version or above to mitigate the risk.
