CVE-2024-29237 in Surveillance Stationinfo

Summary

by MITRE • 03/28/2024

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in ActionRule.Delete webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to inject SQL commands via unspecified vectors.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 08/04/2025

The CVE-2024-29237 vulnerability represents a critical sql injection flaw within the ActionRule.Delete webapi component of Synology Surveillance Station software. This vulnerability affects versions prior to 9.2.0-11289 and 9.2.0-9289, creating a significant security risk for users who have authenticated access to the system. The flaw resides in the improper neutralization of special elements used in sql commands, which allows malicious actors to manipulate database queries through carefully crafted inputs.

The technical implementation of this vulnerability stems from inadequate input validation and sanitization within the ActionRule.Delete api endpoint. When authenticated users submit requests to this component, the system fails to properly escape or encode special sql characters and keywords that could alter the intended query structure. This weakness enables attackers to inject malicious sql code that executes with the privileges of the affected application, potentially allowing full database access and manipulation. The vulnerability operates at the application layer and specifically targets the surveillance station's rule management functionality, where users can define automated actions based on security events.

From an operational impact perspective, this vulnerability presents a severe threat to surveillance system integrity and data confidentiality. An authenticated attacker with access to the surveillance station can leverage this flaw to extract sensitive information from the database, including user credentials, camera configurations, and recorded footage metadata. The attack surface extends beyond simple data theft as the vulnerability could enable privilege escalation, allowing attackers to modify system rules, disable security features, or even gain unauthorized access to other system components. The remote execution capability means attackers do not need physical access to the device, making the attack vector particularly dangerous in networked environments.

The vulnerability aligns with CWE-89, which specifically addresses sql injection flaws in software applications, and maps to ATT&CK technique T1071.004 for application layer protocol manipulation. Organizations using Synology Surveillance Station should immediately implement patch management protocols to upgrade to version 9.2.0-11289 or 9.2.0-9289, which contain the necessary fixes for this vulnerability. Additional mitigations include implementing network segmentation to limit access to surveillance systems, enforcing strict access controls through role-based permissions, and monitoring api access logs for suspicious activity patterns. Security teams should also consider implementing web application firewalls and database activity monitoring solutions to detect and prevent exploitation attempts. The remediation process must include thorough testing of the patched version to ensure no regressions in system functionality while maintaining the security improvements.

Responsible

Synology Inc.

Reservation

03/19/2024

Disclosure

03/28/2024

Moderation

accepted

CPE

ready

EPSS

0.00586

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!