CVE-2024-11131
Published: 19 March 2025
Summary
CVE-2024-11131 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Synology Bc500 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
A vulnerability involving an out-of-bounds read in the video interface allows remote attackers to execute arbitrary code on affected Synology camera devices. The issue impacts BC500, CC400W, and TC500 models running Camera Firmware versions prior to 1.2.0-0525 and carries a CVSS 3.1 score of 9.8.
Unauthenticated attackers with network access can exploit the flaw via unspecified vectors to achieve code execution, potentially compromising the confidentiality, integrity, and availability of the device without requiring user interaction.
The official Synology advisory Synology_SA_24_24 recommends upgrading to firmware version 1.2.0-0525 or later to address the issue.
EPSS scores for the CVE rose from lower values to a peak of 0.1011 on 2026-05-18 before receding to the current level of 0.0552, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54109
Vulnerability details
A vulnerability regarding out-of-bounds read is found in the video interface. This allows remote attackers to execute arbitrary code via unspecified vectors. The following models with Synology Camera Firmware versions before 1.2.0-0525 may be affected: BC500, CC400W and TC500.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds read in public-facing video interface enables remote unauthenticated RCE on camera firmware, directly mapping to exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely remediation of identified flaws, directly addressing this out-of-bounds read vulnerability through firmware updates to version 1.2.0-0525 or later.
Implements memory safeguards such as address space layout randomization and non-executable memory to prevent arbitrary code execution from out-of-bounds reads in the video interface.
Requires validation of inputs to the video interface to restrict and sanitize data that could trigger the out-of-bounds read vulnerability.