CVE-2015-6912
published 2015-09-11CVE-2015-6912: Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary shell commands via shell metacharacters in the subtitle_codepage parameter…
PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
11.79%
95.6th percentile
Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary shell commands via shell metacharacters in the subtitle_codepage parameter to subtitle.cgi.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| synology | video_station | <= 1.5-0757 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect command injection attempts via the 'subtitle_codepage' parameter in subtitle.cgi; look for shell metacharacters (e.g., '&', ';', '|') or Python reverse-shell payloads in the parameter value. ↗
- →Monitor for unauthenticated requests to subtitle.cgi when the 'public share' option is enabled, as exploitation does not require authentication in that configuration. ↗
- →Detect blind SQL injection attempts in the 'id' parameter of watchstatus.cgi and audiotrack.cgi; look for SQL keywords (OR, SELECT, CASE, WHEN, CHR, pg_user) in POST body. ↗
- →Flag HTTP requests to Synology VideoStation CGI endpoints (subtitle.cgi, watchstatus.cgi, audiotrack.cgi) on port 5000 containing URL-encoded shell metacharacters or SQL injection patterns. ↗
- →Presence of 'sharing_id' parameter in subtitle.cgi requests may indicate exploitation via the unauthenticated public-share path; correlate with absence of session cookie. ↗
- ·The command injection in subtitle.cgi is exploitable without authentication only when the 'public share' option is enabled on the NAS; with it disabled, authentication is required. ↗
- ·The X-SYNO-TOKEN header provides CSRF protection for watchstatus.cgi and audiotrack.cgi; this protection is enabled by default only as of DSM version 5.2-5592 Update 3, so older DSM versions may lack it. ↗
- ·The audiotrack.cgi SQL injection was patched in version 1.5-0757, while subtitle.cgi and watchstatus.cgi were patched in the later 1.5-0763; systems on 1.5-0757 remain vulnerable to the subtitle/watchstatus issues. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/133519/Synology-Video-Station-1.5-0757-Command-Injection-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Sep/31http://www.securityfocus.com/archive/1/536427/100/0/threadedhttps://www.securify.nl/advisory/SFY20150810/synology_video_station_command_injection_and_multiple_sql_injection_vulnerabilities.htmlhttps://www.synology.com/en-global/releaseNote/VideoStation?model=DS715http://packetstormsecurity.com/files/133519/Synology-Video-Station-1.5-0757-Command-Injection-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Sep/31http://www.securityfocus.com/archive/1/536427/100/0/threadedhttps://www.securify.nl/advisory/SFY20150810/synology_video_station_command_injection_and_multiple_sql_injection_vulnerabilities.htmlhttps://www.synology.com/en-global/releaseNote/VideoStation?model=DS715
2015-09-11
Published