cbcvebase.
CVE-2024-50631
published 2025-03-19

CVE-2024-50631: Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in the system syncing daemon in Synology Drive Server before…

PriorityP261high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
24.87%
97.6th percentile
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in the system syncing daemon in Synology Drive Server before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085 and 3.5.1-26102 allows remote attackers to inject SQL commands, limited to write operations, via unspecified vectors.

Affected

8 ranges
VendorProductVersion rangeFixed in
synologydrive_server< 3.0.4-126993.0.4-12699
synologydrive_server< 3.2.1-232803.2.1-23280
synologydrive_server< 3.5.0-260853.5.0-26085
synologydrive_server< 3.5.1-261023.5.1-26102
synologysynology_drive_server>= * < 3.5.1-261023.5.1-26102
synologysynology_drive_server>= * < 3.5.0-260853.5.0-26085
synologysynology_drive_server>= * < 3.2.1-232803.2.1-23280
synologysynology_drive_server>= * < 3.0.4-126993.0.4-12699

Detection & IOCsextracted from sources · hover to see the quote

port6690
urlgithub.com/kiddo-pwn/CVE-2024-50629_50631
bytes
|25 52 18 14 46 12 00 00 42|
bytes
|10 00 1a|sharing_link_customization|10 00|
snort
alert tcp any any -> $HOME_NET 6690 (msg:"ET EXPLOIT Synology Driver Server SQL Injection (CVE-2024-50631)"; flow:established,to_server; content:"|25 52 18 14 46 12 00 00 42|"; startswith; content:"|10 00 1a|sharing_link_customization|10 00|"; fast_pattern; pcre:"/^.{1,20}[\x27\x22\x3b\x2d\x5c\x2a\x2f]/R"; reference:url,github.com/kiddo-pwn/CVE-2024-50629_50631; reference:cve,2024-50631; classtype:bad-unknown; sid:2066335; rev:1; metadata:affected_product Synology, attack_target Server, created_at 2025_12_16, cve CVE_2024_50631, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_12_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Monitor TCP traffic to port 6690 (Synology Drive sync daemon) for the magic byte sequence |25 52 18 14 46 12 00 00 42| at the start of the stream, combined with the string 'sharing_link_customization' in the payload — this identifies exploit attempts against the syncing daemon.
  • After matching the protocol header and feature string, look for SQL injection characters (single quote, double quote, semicolon, dash, backslash, asterisk, forward slash) within the first 20 bytes following the fast-pattern match, as captured by the PCRE: /^.{1,20}[\x27\x22\x3b\x2d\x5c\x2a\x2f]/R
  • The exploit targets the system syncing daemon in Synology Drive Server; traffic direction is client-to-server (established,to_server), so focus detection on inbound connections to the Drive sync port.
  • ·The SQL injection is limited to write operations only; read/exfiltration via this vector is not indicated by the vulnerability description.
  • ·Affected versions span multiple release branches; ensure detection/patching covers all: Synology Drive Server before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085, and 3.5.1-26102.
  • ·The Snort/ET rule (sid:2066335) references a PoC at github.com/kiddo-pwn/CVE-2024-50629_50631, which covers both CVE-2024-50629 and CVE-2024-50631 — review the PoC to understand the full attack surface across both CVEs.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.