Cyber Resilience

CVE-2024-10441

Critical

Published: 19 March 2025

Published
19 March 2025
Modified
17 November 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0189 83.6th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-10441 is a critical-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Synology Beestation Os. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-10441 is an improper encoding or escaping of output vulnerability, classified under CWE-116, affecting the system plugin daemon in Synology BeeStation OS (BSM) versions prior to 1.1-65374 and Synology DiskStation Manager (DSM) versions prior to 7.2-64570-4, 7.2.1-69057-6, and 7.2.2-72806-1. Published on 2025-03-19, this flaw enables remote attackers to execute arbitrary code through unspecified vectors. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critically severe due to its potential for widespread remote exploitation.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network, making it highly accessible with low attack complexity. Successful exploitation allows arbitrary code execution on affected systems, resulting in high impacts across confidentiality, integrity, and availability, which could lead to complete compromise of the targeted Synology devices.

Synology security advisories SA_24_20 and SA_24_23 provide details on mitigation, with patches available in BSM 1.1-65374 and the specified DSM versions (7.2-64570-4, 7.2.1-69057-6, 7.2.2-72806-1). Administrators should apply these updates promptly to affected systems.

EU & UK References

Vulnerability details

Improper encoding or escaping of output vulnerability in the system plugin daemon in Synology BeeStation OS (BSM) before 1.1-65374 and Synology DiskStation Manager (DSM) before 7.2-64570-4, 7.2.1-69057-6 and 7.2.2-72806-1 allows remote attackers to execute arbitrary code via unspecified vectors.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes a critical remote code execution vulnerability (CWE-116) in the public-facing system plugin daemon of Synology DSM/BSM, directly enabling initial access via T1190 Exploit Public-Facing Application with no authentication required.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-45538Same product: Synology Diskstation Manager
CVE-2024-50631Same product class: NAS / storage appliance
CVE-2025-12686Same product: Synology Beestation Os
CVE-2024-11131Same product class: NAS / storage appliance
CVE-2025-13392Same product: Synology Diskstation Manager
CVE-2024-10444Same product: Synology Diskstation Manager
CVE-2025-14713Same product: Synology Diskstation Manager
CVE-2025-30028Same product: Synology Diskstation Manager
CVE-2024-10442Same product: Synology Diskstation Manager
CVE-2024-50630Same product class: NAS / storage appliance

Affected Assets

synology
beestation os
1.0, 1.0.1, 1.0.2, 1.1
synology
diskstation manager
7.2 — 7.2-64570-4 · 7.2.1-69057 — 7.2.1-69057-6 · 7.2.2 — 7.2.2-72806-1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-15 requires filtering of information output to prevent improper encoding or escaping that enables arbitrary code execution via unspecified vectors.

prevent

SI-2 mandates timely remediation of flaws like this improper output encoding vulnerability through patching to the specified Synology versions.

prevent

SI-10 enforces input validation that complements output encoding to mitigate injection-based arbitrary code execution in the system plugin daemon.

References