cbcvebase.
CVE-2015-6912
published 2015-09-11

CVE-2015-6912: Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary shell commands via shell metacharacters in the subtitle_codepage parameter…

PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
11.79%
95.6th percentile
Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary shell commands via shell metacharacters in the subtitle_codepage parameter to subtitle.cgi.

Affected

1 ranges
VendorProductVersion rangeFixed in
synologyvideo_station<= 1.5-0757

Detection & IOCsextracted from sources · hover to see the quote

url/webapi/VideoStation/subtitle.cgi
url/webapi/VideoStation/watchstatus.cgi
url/webapi/VideoStation/audiotrack.cgi
path/webapi/VideoStation/subtitle.cgi
port5000
  • Detect command injection attempts via the 'subtitle_codepage' parameter in subtitle.cgi; look for shell metacharacters (e.g., '&', ';', '|') or Python reverse-shell payloads in the parameter value.
  • Monitor for unauthenticated requests to subtitle.cgi when the 'public share' option is enabled, as exploitation does not require authentication in that configuration.
  • Detect blind SQL injection attempts in the 'id' parameter of watchstatus.cgi and audiotrack.cgi; look for SQL keywords (OR, SELECT, CASE, WHEN, CHR, pg_user) in POST body.
  • Flag HTTP requests to Synology VideoStation CGI endpoints (subtitle.cgi, watchstatus.cgi, audiotrack.cgi) on port 5000 containing URL-encoded shell metacharacters or SQL injection patterns.
  • Presence of 'sharing_id' parameter in subtitle.cgi requests may indicate exploitation via the unauthenticated public-share path; correlate with absence of session cookie.
  • ·The command injection in subtitle.cgi is exploitable without authentication only when the 'public share' option is enabled on the NAS; with it disabled, authentication is required.
  • ·The X-SYNO-TOKEN header provides CSRF protection for watchstatus.cgi and audiotrack.cgi; this protection is enabled by default only as of DSM version 5.2-5592 Update 3, so older DSM versions may lack it.
  • ·The audiotrack.cgi SQL injection was patched in version 1.5-0757, while subtitle.cgi and watchstatus.cgi were patched in the later 1.5-0763; systems on 1.5-0757 remain vulnerable to the subtitle/watchstatus issues.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.