Login Sign Up

CVE-2024-50631

7.5 HIGH
SQL Injection

📋 TL;DR

This SQL injection vulnerability in Synology Drive Server's system syncing daemon allows remote attackers to execute write-only SQL commands against the database. It affects all Synology Drive Server versions before the patched releases, potentially compromising data integrity.

💻 Affected Systems

Products:
  • Synology Drive Server
Versions: All versions before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085, and 3.5.1-26102
Operating Systems: Synology DSM
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the system syncing daemon component specifically. Requires network access to the Drive Server service.

📦 What is this software?

Drive Server by Synology

View all CVEs affecting Drive Server →

Drive Server by Synology

View all CVEs affecting Drive Server →

Drive Server by Synology

View all CVEs affecting Drive Server →

Drive Server by Synology

View all CVEs affecting Drive Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could manipulate or corrupt database content, potentially leading to data loss, service disruption, or privilege escalation through database manipulation.

🟠

Likely Case

Data tampering or corruption in the Drive Server database, potentially affecting file metadata, user permissions, or synchronization data.

🟢

If Mitigated

Limited to write operations only, preventing data exfiltration but still allowing data manipulation if exploited.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Vulnerability is limited to write operations only (no data exfiltration). Attack vectors are unspecified in the advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.4-12699, 3.2.1-23280, 3.5.0-26085, or 3.5.1-26102 (depending on your version track)

Vendor Advisory: https://www.synology.com/en-global/security/advisory/Synology_SA_24_21

Restart Required: No

Instructions:

1. Log into DSM as administrator. 2. Open Package Center. 3. Find Synology Drive Server. 4. Click Update if available. 5. Alternatively, download the patched version from Synology's website and manually install.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to Synology Drive Server to trusted networks only

Firewall Rules

all

Implement firewall rules to limit access to Drive Server ports (default 6690)

🧯 If You Can't Patch

  • Implement strict network access controls to limit exposure
  • Monitor database logs for unusual write operations or SQL errors

🔍 How to Verify

Check if Vulnerable:

Check the installed version of Synology Drive Server in Package Center

Check Version:

No CLI command; check via DSM Package Center interface

Verify Fix Applied:

Verify the version number matches or exceeds the patched versions listed in the advisory

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in Drive Server logs
  • Unexpected database write operations

Network Indicators:

  • Unusual traffic patterns to Drive Server port 6690
  • SQL injection patterns in network traffic

SIEM Query:

source="synology-drive" AND (error OR sql OR injection)

📊 Metadata

CVE ID: CVE-2024-50631
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-89
EPSS Score: 0.47% exploit probability (63.9th percentile)
Published: March 19, 2025
Last Updated: January 16, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-50631, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)