CVE-2024-29241 CRITICAL

CVE-2024-29241

Vendor Synology
Product Surveillance Station
Weakness CWE-862 · Missing authorization
Published March 28, 2024
Last update August 12, 2025
View on NVD All CVEs

CVSS base score

9.9/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H

What the vulnerability does

01Description

Missing authorization vulnerability in System webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain non-sensitive information, write sensitive configurations in DSM, and reboot or shutdown NAS via unspecified vectors.

Key dates

02Disclosure timeline

March 28, 2024 CVE published
August 12, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-23999 WordPress Breeze plugin <= 2.2.13 - Broken Access Control vulnerability CVE-2024-50456 WordPress SEOPress plugin <= 8.1.1 - Broken Access Control vulnerability CVE-2025-57817 Fides Webserver API is Vulnerable to OAuth Client Privilege Escalation CVE-2024-11725 SMS Alert Order Notifications – WooCommerce <= 3.7.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update CVE-2025-31863 WordPress Agency Toolkit plugin <= 1.0.24 - Broken Access Control vulnerability