CVE-2024-39352

A vulnerability regarding incorrect authorization is found in the firmware upgrade functionality. This allows remote authenticated users with administrator privileges to bypass firmware integrity check via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500.

CVSS v3 4.9 MEDIUM

4.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.synology.com/en-global/security/advisory/Synology_SA_23_15	Vendor Advisory
https://www.synology.com/en-global/security/advisory/Synology_SA_23_15	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:synology:bc500_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:synology:bc500:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:synology:tc500_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:synology:tc500:-:*:*:*:*:*:*:*

History

04 Mar 2025, 18:43

Type	Values Removed	Values Added
CPE		cpe:2.3:h:synology:tc500:-:::::::* cpe:2.3:o:synology:tc500_firmware:::::::: cpe:2.3:h:synology:bc500:-:::::::* cpe:2.3:o:synology:bc500_firmware::::::::
References	~~() https://www.synology.com/en-global/security/advisory/Synology_SA_23_15 -~~	() https://www.synology.com/en-global/security/advisory/Synology_SA_23_15 - Vendor Advisory
First Time		Synology bc500 Firmware Synology bc500 Synology tc500 Firmware Synology tc500 Synology

Information

Published : 2024-06-28 06:15

Updated : 2025-04-10 18:14

NVD link : CVE-2024-39352

Mitre link : CVE-2024-39352

CVE.ORG link : CVE-2024-39352

JSON object : View

Products Affected

synology

bc500
tc500_firmware
tc500
bc500_firmware

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2024-39352", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@synology.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.2}]}, "published": "2024-06-28T06:15:06.223", "references": [{"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_23_15", "tags": ["Vendor Advisory"], "source": "security@synology.com"}, {"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_23_15", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@synology.com", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability regarding incorrect authorization is found in the firmware upgrade functionality. This allows remote authenticated users with administrator privileges to bypass firmware integrity check via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500."}, {"lang": "es", "value": "Se encuentra una vulnerabilidad relacionada con la autorizaci\u00f3n incorrecta en la funcionalidad de actualizaci\u00f3n del firmware. Esto permite a los usuarios autenticados remotamente con privilegios de administrador omitir la verificaci\u00f3n de integridad del firmware mediante vectores no especificados. Los siguientes modelos con versiones de firmware de c\u00e1mara Synology anteriores a 1.0.7-0298 pueden verse afectados: BC500 y TC500."}], "lastModified": "2025-04-10T18:14:54.850", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:synology:bc500_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "11106950-DFD0-441A-8DE3-DA19C15281B1", "versionEndExcluding": "1.0.7-0298"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:synology:bc500:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "5FD618BD-29BD-4F43-9BEF-F73065247580"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:synology:tc500_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F4DBB838-E652-4C96-AC50-AF07510EF8E5", "versionEndExcluding": "1.0.7-0298"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:synology:tc500:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "582C2C89-3351-4DC6-B40A-7E2E4CA6AFEA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "security@synology.com"}