Security researchers have uncovered a critical vulnerability chain in Synology BeeStation devices that allows attackers to gain complete system control without authentication—and they did it using a groundbreaking technique that bypasses traditional defenses.
The attack chain, originally discovered by DEVCORE's Pumpkin and Orange Tsai during Pwn2Own 2024, combines three vulnerabilities (CVE-2024-50629 through 50631) affecting BeeStation BST150-4T devices. What makes this research particularly notable is the novel exploitation method developed by independent researcher kiddo-pwn, who introduced a universal SQLite injection technique that works even without PHP—a first in the security community.
The exploit begins with a CRLF injection vulnerability that allows attackers to manipulate HTTP headers and leak usernames from system logs. Next, a flawed authentication mechanism in the syncd daemon enables attackers to bypass password checks by omitting the password parameter entirely—the system then falls back to a weaker authentication path designed for local requests.
The final stage involves SQL injection in the update_settings command. Here's where it gets innovative: instead of the standard PHP web shell approach, the researcher weaponized SQLite's ATTACH DATABASE feature to write malicious cron jobs directly to the system scheduler.
The Game-Changing Technique
The breakthrough lies in exploiting cron's fault-tolerant parsing. While SQLite injection typically creates files polluted with binary database headers, the researcher discovered that cron simply ignores malformed lines and executes valid entries. By wrapping a reverse shell command in newlines, the attacker creates a legitimate cron job buried within SQLite metadata—giving them root access when the scheduler runs.
"This SQLite Injection RCE technique demonstrates a universal application feasible in general Linux environments," the researcher noted, emphasizing its applicability beyond PHP-dependent systems.
Synology has released patches in DSM 7.2.2-72806-1 and BSM 1.1-65374. Users should immediately update their BeeStation and Synology Drive Server installations to version 3.5.1-26102 or later. A proof-of-concept exploit is now publicly available, making unpatched systems actively vulnerable to attack.