CVE-2024-47267 Overview
CVE-2024-47267 is a path traversal vulnerability [CWE-22] in the Archiving Pull functionality of Synology Surveillance Station. The flaw affects versions before 9.2.2-11575 and 9.2.2-9575. Remote authenticated users holding administrator privileges can perform limited file write operations through unspecified vectors. The vulnerability stems from improper limitation of a pathname to a restricted directory. Synology documented the issue in advisory SA-24-25.
Critical Impact
An authenticated administrator can write files outside the intended directory, enabling limited tampering with files accessible to the Surveillance Station service.
Affected Products
- Synology Surveillance Station versions before 9.2.2-11575
- Synology Surveillance Station versions before 9.2.2-9575
- Archiving Pull functionality component
Discovery Timeline
- 2026-05-27 - CVE-2024-47267 published to the National Vulnerability Database (NVD)
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2024-47267
Vulnerability Analysis
The vulnerability resides in the Archiving Pull functionality of Synology Surveillance Station. This feature retrieves archived recordings from remote sources for storage on the local device. The component fails to properly validate or sanitize pathname inputs before performing file write operations. An attacker can supply traversal sequences such as ../ to direct writes outside the intended archive directory.
Exploitation requires network access to the Surveillance Station web service and valid administrator credentials. The impact is limited to file write operations within the service's permission boundary. The vulnerability does not directly grant code execution or disclose confidential data based on the available advisory information. The Common Weakness Enumeration classification is [CWE-22], Improper Limitation of a Pathname to a Restricted Directory.
Root Cause
The root cause is insufficient input validation on file path parameters processed by the Archiving Pull workflow. The affected code path accepts user-controlled strings and constructs file system paths without canonicalization checks. Directory traversal sequences are not stripped or rejected before the write operation executes.
Attack Vector
The attack vector is network-based and requires high privileges. An authenticated administrator submits a crafted request to the Archiving Pull endpoint. The request includes pathname values containing traversal sequences that resolve outside the intended archive storage directory. The service then writes attacker-controlled content to the resolved location. Synology has not published specific technical details of the exploitation vectors. Refer to the Synology Security Advisory SA-24-25 for vendor-confirmed information.
Detection Methods for CVE-2024-47267
Indicators of Compromise
- Unexpected files appearing outside the configured Surveillance Station archive directories
- HTTP requests to Archiving Pull endpoints containing traversal sequences such as ../ or URL-encoded equivalents like %2e%2e%2f
- Surveillance Station log entries showing file write operations to non-standard paths
- Administrator account activity from unfamiliar source IP addresses
Detection Strategies
- Inspect web server and application logs for Archiving Pull requests containing path traversal patterns in parameters
- Compare file system snapshots of Surveillance Station directories against baseline inventories
- Correlate administrator authentication events with archiving configuration changes
- Alert on file creation events in directories outside the documented Surveillance Station storage paths
Monitoring Recommendations
- Forward Synology DSM and Surveillance Station logs to a centralized logging platform for retention and analysis
- Monitor administrator account logins, particularly from external networks or new geolocations
- Track configuration changes to archive destinations and remote pull sources
- Implement file integrity monitoring on the volume hosting Surveillance Station
How to Mitigate CVE-2024-47267
Immediate Actions Required
- Upgrade Synology Surveillance Station to version 9.2.2-11575 or 9.2.2-9575 or later
- Audit administrator accounts and remove unused or unnecessary privileged users
- Enforce strong authentication and enable two-factor authentication for administrator accounts
- Restrict network access to the Surveillance Station web interface using firewall rules or VPN
Patch Information
Synology has released fixed versions of Surveillance Station. Apply version 9.2.2-11575 or 9.2.2-9575 or later, depending on the deployment channel. See the Synology Security Advisory SA-24-25 for the full list of fixed releases and download instructions.
Workarounds
- Limit administrator account access to trusted IP ranges using DSM firewall settings
- Disable the Archiving Pull feature if it is not in active use
- Place Surveillance Station behind a reverse proxy that filters traversal sequences from inbound requests
- Restrict outbound network access from the device to reduce abuse of pull-based workflows
# Configuration example - restrict admin access via DSM Control Panel firewall
# Example iptables-style rule applied through DSM firewall UI:
# Allow administrator access only from internal management subnet
# Source: 10.0.10.0/24 Destination port: 5000,5001 Action: Allow
# All other sources Destination port: 5000,5001 Action: Deny
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
