CVE-2024-50630
published 2025-03-19CVE-2024-50630: Missing authentication for critical function vulnerability in the webapi component in Synology Drive Server before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085 and…
PriorityP263high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
22.72%
97.4th percentile
Missing authentication for critical function vulnerability in the webapi component in Synology Drive Server before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085 and 3.5.1-26102 allows remote attackers to obtain administrator credentials via unspecified vectors.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| synology | drive_server | < 3.0.4-12699 | 3.0.4-12699 |
| synology | drive_server | < 3.2.1-23280 | 3.2.1-23280 |
| synology | drive_server | < 3.5.0-26085 | 3.5.0-26085 |
| synology | drive_server | < 3.5.1-26102 | 3.5.1-26102 |
| synology | synology_drive_server | >= * < 3.0.4-12699 | 3.0.4-12699 |
| synology | synology_drive_server | >= * < 3.5.1-26102 | 3.5.1-26102 |
| synology | synology_drive_server | >= * < 3.5.0-26085 | 3.5.0-26085 |
| synology | synology_drive_server | >= * < 3.2.1-23280 | 3.2.1-23280 |
Detection & IOCsextracted from sources · hover to see the quote
url/webapi/entry.cgi
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Synology Driver Server Unauthorized Access (CVE-2024-50630)"; flow:established,to_server; http.uri; content:"/webapi/entry.cgi"; fast_pattern; http.request_body; content:"api|3d|SYNO.SynologyDrive.Authentication"; content:"method|3d|authenticate"; content:"username|3d|"; content:!"password|3d|"; reference:url,kiddo-pwn.github.io/blog/2025-11-30/writing-sync-popping-cron; reference:cve,2024-50630; classtype:web-application-attack; sid:2066035; rev:1; metadata:affected_product Synology, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_05, cve CVE_2024_50630, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_12_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Look for HTTP POST requests to /webapi/entry.cgi where the body contains 'api=SYNO.SynologyDrive.Authentication' and 'method=authenticate' with a 'username=' field but NO 'password=' field — this is the unauthenticated credential-theft pattern.
- →The Snort/Suricata rule (ET sid:2066035) targets established inbound HTTP flows to the server, flagging the absence of a password parameter alongside an authentication API call as the exploit indicator.
- →Deploy the rule in TLS-decrypting environments (SSLDecrypt/TLSDecrypt) for full visibility, as the rule metadata explicitly calls out tls_state TLSDecrypt.
- →Reference blog post for exploit write-up: kiddo-pwn.github.io/blog/2025-11-30/writing-sync-popping-cron
- ·Affected versions of Synology Drive Server are before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085, and 3.5.1-26102; patch to these versions or later to remediate. ↗
- ·The vulnerability resides in the webapi component; restrict external access to /webapi/entry.cgi at the perimeter if patching is not immediately possible. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Synology Driver Server Unauthorized Access (CVE-2024-50630)
suricata·2025-12-05·CVSS 7.5
CVE-2024-50630 [HIGH] ET WEB_SPECIFIC_APPS Synology Driver Server Unauthorized Access (CVE-2024-50630)
ET WEB_SPECIFIC_APPS Synology Driver Server Unauthorized Access (CVE-2024-50630)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Synology Driver Server Unauthorized Access (CVE-2024-50630)"; flow:established,to_server; http.uri; content:"/webapi/entry.cgi"; fast_pattern; http.request_body; content:"api|3d|SYNO.SynologyDrive.Authentication"; content:"method|3d|authenticate"; content:"username|3d|"; content:!"password|3d|"; reference:url,kiddo-pwn.github.io/blog/2025-11-30/writing-sync-popping-cron; reference:cve,2024-50630; classtype:web-application-attack; sid:2066035; rev:1; metadata:affected_product Synology, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_05, cve CVE_2024_50630, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confid
No public exploits indexed.
No writeups or analysis indexed.
2025-03-19
Published