CVE-2024-39349
Published: 28 June 2024
Summary
CVE-2024-39349 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Synology Bc500 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 10.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A classic buffer overflow vulnerability exists in the libjansson component shipped with Synology Camera Firmware on BC500 and TC500 models. The flaw, tracked as CVE-2024-39349, is specific to Synology's integration and does not affect the upstream jansson library. It impacts all firmware versions prior to 1.0.7-0298 and carries a CVSS 3.1 score of 9.8.
Remote attackers can exploit the issue over the network without authentication or user interaction to execute arbitrary code. The attack vector is described only as unspecified, but successful exploitation would grant full control over the affected camera device.
Synology's security advisory Synology_SA_23_15 recommends updating BC500 and TC500 devices to firmware 1.0.7-0298 or later to address the vulnerability. The associated EPSS score rose from low values after disclosure to a peak of 0.0845 on 2025-12-11 before receding to the current 0.0439, indicating a period of increased exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-37912
Vulnerability details
A vulnerability regarding buffer copy without checking size of input ('Classic Buffer Overflow') is found in the libjansson component and it does not affect the upstream library. This allows remote attackers to execute arbitrary code via unspecified vectors. The following…
more
models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Platform-independent managed code eliminates the need for unchecked native buffer copies that are the root cause of classic buffer overflows.