CVE-2024-10443

Name of the Vulnerable Software and Affected Versions Synology BeePhotos versions prior to 1.0.2-10026 Synology BeePhotos version 1.1.0-10053 Synology Photos versions prior to 1.6.2-0720 Synology Photos version 1.7.0-0795 Synology BeeStation BST150-4T (affected versions not specified)

Description A command injection flaw exists in the Task Manager component of Synology BeePhotos and Synology Photos. This issue allows remote attackers to execute arbitrary code without user interaction. Millions of Synology NAS devices are potentially affected. The vulnerability, dubbed RISK:STATION, was discovered at Pwn2Own 2024 and is actively exploited. The root cause is improper neutralization of special elements used in OS commands. The Task Manager component is vulnerable to this issue. The vulnerability allows attackers to execute arbitrary code via unspecified vectors.

Recommendations Update Synology BeePhotos to version 1.0.2-10026 or later. Update Synology BeePhotos to version 1.1.0-10053 or later. Update Synology Photos to version 1.6.2-0720 or later. Update Synology Photos to version 1.7.0-0795 or later.