Description
Insufficiently protected credentials vulnerability in IPSpeaker component in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtain sensitive information via unspecified vectors.
Published: 2026-05-27
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an insufficiently protected credentials flaw in the IPSpeaker component of Synology Surveillance Station versions earlier than 9.2.2-11575 and 9.2.2-9575. An authenticated user with administrator privileges can obtain sensitive information, leading to potential exposure of system configuration or user data. The weakness is a credential management issue classified as CWE‑522.

Affected Systems

Synology Surveillance Station, specifically the IPSpeaker component on releases before 9.2.2-11575 and 9.2.2-9575.

Risk and Exploitability

The CVSS score of 4.9 indicates moderate severity, and the EPSS score is not available, so the likelihood of exploitation is unknown. The vulnerability is not listed in the CISA KEV catalog. The attack vector requires an attacker to be an authenticated administrator, which limits exposure to compromised or mis‑managed accounts. The potential impact is limited to data disclosure rather than system takeover.

Generated by OpenCVE AI on May 27, 2026 at 10:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of Synology Surveillance Station that includes the fix for the IPSpeaker credential protection issue.
  • Restrict administrator accounts only to trusted personnel and regularly review active admin users.
  • If the IPSpeaker component is not required, disable or remove it to eliminate the attack surface.

Generated by OpenCVE AI on May 27, 2026 at 10:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Synology diskstation Manager
CPEs cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*
cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*
cpe:2.3:o:synology:diskstation_manager:7.1:*:*:*:*:*:*:*
cpe:2.3:o:synology:diskstation_manager:7.2:*:*:*:*:*:*:*
Vendors & Products Synology diskstation Manager

Wed, 27 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:45:00 +0000

Type Values Removed Values Added
Title Insufficiently Protected Credentials Vulnerability in Synology Surveillance Station IPSpeaker Component
First Time appeared Synology
Synology surveillance Station
Vendors & Products Synology
Synology surveillance Station

Wed, 27 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description Insufficiently protected credentials vulnerability in IPSpeaker component in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtain sensitive information via unspecified vectors.
Weaknesses CWE-522
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Synology Diskstation Manager Surveillance Station
cve-icon MITRE

Status: PUBLISHED

Assigner: synology

Published:

Updated: 2026-05-27T13:45:13.986Z

Reserved: 2024-09-24T03:58:57.133Z

Link: CVE-2024-47271

cve-icon Vulnrichment

Updated: 2026-05-27T13:45:11.368Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T09:16:25.987

Modified: 2026-05-28T18:37:41.423

Link: CVE-2024-47271

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:30:28Z

Weaknesses