Cyber Resilience

CVE-2024-11131

Critical

Published: 19 March 2025

Published
19 March 2025
Modified
16 January 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0552 90.5th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11131 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Synology Bc500 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

A vulnerability involving an out-of-bounds read in the video interface allows remote attackers to execute arbitrary code on affected Synology camera devices. The issue impacts BC500, CC400W, and TC500 models running Camera Firmware versions prior to 1.2.0-0525 and carries a CVSS 3.1 score of 9.8.

Unauthenticated attackers with network access can exploit the flaw via unspecified vectors to achieve code execution, potentially compromising the confidentiality, integrity, and availability of the device without requiring user interaction.

The official Synology advisory Synology_SA_24_24 recommends upgrading to firmware version 1.2.0-0525 or later to address the issue.

EPSS scores for the CVE rose from lower values to a peak of 0.1011 on 2026-05-18 before receding to the current level of 0.0552, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

A vulnerability regarding out-of-bounds read is found in the video interface. This allows remote attackers to execute arbitrary code via unspecified vectors. The following models with Synology Camera Firmware versions before 1.2.0-0525 may be affected: BC500, CC400W and TC500.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Out-of-bounds read in public-facing video interface enables remote unauthenticated RCE on camera firmware, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-45538Same product class: NAS / storage appliance
CVE-2024-10441Same product class: NAS / storage appliance
CVE-2024-50631Same product class: NAS / storage appliance
CVE-2024-50630Same product class: NAS / storage appliance
CVE-2024-10442Same product class: NAS / storage appliance
CVE-2025-14713Same product class: NAS / storage appliance
CVE-2021-47961Same product class: NAS / storage appliance
CVE-2025-12686Same product class: NAS / storage appliance
CVE-2026-3091Same product class: NAS / storage appliance
CVE-2023-52945Same product class: NAS / storage appliance

Affected Assets

synology
bc500 firmware
≤ 1.2.0-0525
synology
cc400w firmware
≤ 1.2.0-0525
synology
tc500 firmware
≤ 1.2.0-0525

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely remediation of identified flaws, directly addressing this out-of-bounds read vulnerability through firmware updates to version 1.2.0-0525 or later.

prevent

Implements memory safeguards such as address space layout randomization and non-executable memory to prevent arbitrary code execution from out-of-bounds reads in the video interface.

prevent

Requires validation of inputs to the video interface to restrict and sanitize data that could trigger the out-of-bounds read vulnerability.

References