CVE-2024-29241 Overview
CVE-2024-29241 is a missing authorization vulnerability in the System webapi component of Synology Surveillance Station. The flaw affects versions before 9.2.0-9289 and 9.2.0-11289. Authenticated remote users can obtain non-sensitive information, write sensitive configurations in DiskStation Manager (DSM), and reboot or shut down the underlying Network Attached Storage (NAS) device. The weakness is classified under [CWE-862: Missing Authorization]. The issue is tracked in Synology Security Advisory SA-24-04.
Critical Impact
Authenticated attackers can modify DSM configurations and forcibly reboot or shut down the NAS, disrupting all hosted services and surveillance recording.
Affected Products
- Synology Surveillance Station versions before 9.2.0-9289
- Synology Surveillance Station versions before 9.2.0-11289
- Synology DiskStation Manager (DSM) 6.2, 7.1, and 7.2
Discovery Timeline
- 2024-03-28 - CVE-2024-29241 published to the National Vulnerability Database (NVD)
- 2025-08-12 - Last updated in NVD database
Technical Details for CVE-2024-29241
Vulnerability Analysis
The vulnerability resides in the System webapi component of Synology Surveillance Station. Specific API endpoints fail to enforce authorization checks on the calling user's privilege level. Any authenticated session, regardless of role, can invoke privileged operations exposed by these endpoints. The impact crosses a trust boundary because the affected component executes actions against DSM, the host operating system. As a result, a low-privileged Surveillance Station user can manipulate DSM configuration and control the physical state of the NAS.
Root Cause
The root cause is a missing authorization check [CWE-862] in the System webapi handlers. The application authenticates the request but does not verify that the authenticated principal holds the role required for the requested action. Privileged operations such as configuration writes and power-state changes are exposed to all authenticated users.
Attack Vector
Exploitation requires network access to the Surveillance Station web interface and valid credentials with low privileges. The attacker issues crafted requests to the unprotected System webapi endpoints. The vendor advisory does not disclose the specific request structure. Successful requests allow the attacker to read non-sensitive data, write DSM configuration values, or trigger a reboot or shutdown.
No verified public proof-of-concept code is available. Refer to the Synology Security Advisory SA-24-04 for vendor technical context.
Detection Methods for CVE-2024-29241
Indicators of Compromise
- Unscheduled NAS reboot or shutdown events recorded in DSM system logs
- Surveillance Station webapi requests from low-privileged accounts targeting system or power-control endpoints
- Unexpected modifications to DSM configuration files or settings outside administrative change windows
- Authentication events for non-administrative users immediately preceding privileged DSM actions
Detection Strategies
- Compare the Surveillance Station version reported by DSM against 9.2.0-9289 and 9.2.0-11289 to identify vulnerable installations
- Audit DSM and Surveillance Station webapi access logs for HTTP requests to system control endpoints originating from non-admin user IDs
- Correlate Surveillance Station session activity with DSM reboot, shutdown, and configuration change events
Monitoring Recommendations
- Forward DSM and Surveillance Station logs to a centralized SIEM or data lake for retention and correlation
- Alert on any reboot or shutdown event that is not preceded by an administrative session
- Track configuration changes to DSM through file integrity monitoring on the NAS configuration store
How to Mitigate CVE-2024-29241
Immediate Actions Required
- Update Synology Surveillance Station to version 9.2.0-9289 or 9.2.0-11289 or later as specified by DSM platform
- Restrict Surveillance Station web interface exposure to trusted internal networks only
- Review and reduce the number of Surveillance Station user accounts, removing unused or shared logins
- Rotate credentials for all Surveillance Station accounts after patching
Patch Information
Synology has released fixed builds for Surveillance Station. Install Surveillance Station 9.2.0-9289 or 9.2.0-11289 or later through the DSM Package Center. Patch availability and version mapping per DSM release are documented in Synology Security Advisory SA-24-04.
Workarounds
- Block external access to DSM and Surveillance Station web ports at the perimeter firewall until the patch is applied
- Require VPN access for all Surveillance Station administration
- Disable the Surveillance Station package on NAS devices that do not actively require it
# Verify installed Surveillance Station version on DSM via SSH
synopkg version SurveillanceStation
# Trigger package update check from DSM CLI
sudo synopkg checkupdate SurveillanceStation
sudo synopkg install_from_server SurveillanceStation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
