Synology Surveillance Station versions before 9.2.2‑11575 and 9.2.2‑9575 contain a flaw in the Export Key feature that sends sensitive information in clear text. The bug, mapped to CWE‑319, allows remote authenticated users who have administrator privileges to read those exported keys during transmission. While the vulnerability does not grant arbitrary code execution, it can lead to disclosure of credentials or keys, potentially compromising the confidentiality of the system and its stored data.

Synology Surveillance Station running versions earlier than 9.2.2‑11575 or 9.2.2‑9575 is affected. The flaw is present in the Export Key utility that is part of the Surveillance Station package. Only servers that have this older release installed are at risk; newer releases have no known such issue.

The CVSS score of 4.9 indicates a medium severity and the EPSS is not available. The vulnerability requires an authenticated administrator to exploit, so an attacker must have valid credentials and location to trigger the Export Key operation. Because the flaw transmits data over unsecured channels, once authenticated the attacker can retrieve the key payload, potentially enabling further credential compromise. The lack of data in KEV suggests no high‑profile exploitation yet, but the cleartext transmission can still be abused, especially if remote administration is permitted.