cbcvebase.
CVE-2024-50630
published 2025-03-19

CVE-2024-50630: Missing authentication for critical function vulnerability in the webapi component in Synology Drive Server before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085 and…

PriorityP263high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
22.72%
97.4th percentile
Missing authentication for critical function vulnerability in the webapi component in Synology Drive Server before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085 and 3.5.1-26102 allows remote attackers to obtain administrator credentials via unspecified vectors.

Affected

8 ranges
VendorProductVersion rangeFixed in
synologydrive_server< 3.0.4-126993.0.4-12699
synologydrive_server< 3.2.1-232803.2.1-23280
synologydrive_server< 3.5.0-260853.5.0-26085
synologydrive_server< 3.5.1-261023.5.1-26102
synologysynology_drive_server>= * < 3.0.4-126993.0.4-12699
synologysynology_drive_server>= * < 3.5.1-261023.5.1-26102
synologysynology_drive_server>= * < 3.5.0-260853.5.0-26085
synologysynology_drive_server>= * < 3.2.1-232803.2.1-23280

Detection & IOCsextracted from sources · hover to see the quote

url/webapi/entry.cgi
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Synology Driver Server Unauthorized Access (CVE-2024-50630)"; flow:established,to_server; http.uri; content:"/webapi/entry.cgi"; fast_pattern; http.request_body; content:"api|3d|SYNO.SynologyDrive.Authentication"; content:"method|3d|authenticate"; content:"username|3d|"; content:!"password|3d|"; reference:url,kiddo-pwn.github.io/blog/2025-11-30/writing-sync-popping-cron; reference:cve,2024-50630; classtype:web-application-attack; sid:2066035; rev:1; metadata:affected_product Synology, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_05, cve CVE_2024_50630, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_12_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Look for HTTP POST requests to /webapi/entry.cgi where the body contains 'api=SYNO.SynologyDrive.Authentication' and 'method=authenticate' with a 'username=' field but NO 'password=' field — this is the unauthenticated credential-theft pattern.
  • The Snort/Suricata rule (ET sid:2066035) targets established inbound HTTP flows to the server, flagging the absence of a password parameter alongside an authentication API call as the exploit indicator.
  • Deploy the rule in TLS-decrypting environments (SSLDecrypt/TLSDecrypt) for full visibility, as the rule metadata explicitly calls out tls_state TLSDecrypt.
  • Reference blog post for exploit write-up: kiddo-pwn.github.io/blog/2025-11-30/writing-sync-popping-cron
  • ·Affected versions of Synology Drive Server are before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085, and 3.5.1-26102; patch to these versions or later to remediate.
  • ·The vulnerability resides in the webapi component; restrict external access to /webapi/entry.cgi at the perimeter if patching is not immediately possible.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.