Listen to this Post
How the CVE Works:
The vulnerability exists in the `sub.cgi` component of Synology VideoStation’s VideoPlayer2. This CGI script, intended for handling sub files (.srt), does not properly validate or sanitize user-supplied input within authenticated HTTP requests. An attacker with valid user credentials can craft a specific HTTP request containing directory traversal sequences (e.g., ../../../) or direct file paths within the `file` or `path` parameters. The flawed script processes this malformed request and returns the contents of arbitrary `.srt` files from the filesystem, bypassing intended access controls. This leads to unauthorized information disclosure of sub file contents, which could contain sensitive metadata or transcribed dialogue.
Platform: Synology VideoStation
Version: VideoPlayer2 Package
Vulnerability: Authenticated File Read
Severity: Medium
Date: 2025-12-04
Prediction: 2025-12-18
What Undercode Say:
`$ curl -k -s “https://target:5001/webman/3rdparty/VideoPlayer2/sub.cgi?file=../../../../etc/passwd.srt”`
`$ wget –user=attacker –password=pass “https://nas.local//webman/3rdparty/VideoPlayer2/sub.cgi?path=/var/services/homes/admin/secret.srt”`
How Exploit:
1. Attacker obtains valid user credentials.
- Crafts HTTP GET request to `sub.cgi` with traversal payload.
- Script fetches and returns content of targeted `.srt` file.
Protection from this CVE
Update VideoStation package.
Implement network segmentation.
Apply principle of least privilege.
Impact:
Unauthorized information disclosure.
Sensitive metadata exposure.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
