CVE-2024-10441
Published: 19 March 2025
Summary
CVE-2024-10441 is a critical-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Synology Beestation Os. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-15 requires filtering of information output to prevent improper encoding or escaping that enables arbitrary code execution via unspecified vectors.
SI-2 mandates timely remediation of flaws like this improper output encoding vulnerability through patching to the specified Synology versions.
SI-10 enforces input validation that complements output encoding to mitigate injection-based arbitrary code execution in the system plugin daemon.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a critical remote code execution vulnerability (CWE-116) in the public-facing system plugin daemon of Synology DSM/BSM, directly enabling initial access via T1190 Exploit Public-Facing Application with no authentication required.
NVD Description
Improper encoding or escaping of output vulnerability in the system plugin daemon in Synology BeeStation OS (BSM) before 1.1-65374 and Synology DiskStation Manager (DSM) before 7.2-64570-4, 7.2.1-69057-6 and 7.2.2-72806-1 allows remote attackers to execute arbitrary code via unspecified vectors.
Deeper analysisAI
CVE-2024-10441 is an improper encoding or escaping of output vulnerability, classified under CWE-116, affecting the system plugin daemon in Synology BeeStation OS (BSM) versions prior to 1.1-65374 and Synology DiskStation Manager (DSM) versions prior to 7.2-64570-4, 7.2.1-69057-6, and 7.2.2-72806-1. Published on 2025-03-19, this flaw enables remote attackers to execute arbitrary code through unspecified vectors. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critically severe due to its potential for widespread remote exploitation.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network, making it highly accessible with low attack complexity. Successful exploitation allows arbitrary code execution on affected systems, resulting in high impacts across confidentiality, integrity, and availability, which could lead to complete compromise of the targeted Synology devices.
Synology security advisories SA_24_20 and SA_24_23 provide details on mitigation, with patches available in BSM 1.1-65374 and the specified DSM versions (7.2-64570-4, 7.2.1-69057-6, 7.2.2-72806-1). Administrators should apply these updates promptly to affected systems.
Details
- CWE(s)