CVE-2015-6911

Synology Video Station < 1.5-0757 - SQL Injection via id Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-6911.

AI-analyzed exploit summary The exploit demonstrates a command injection vulnerability in Synology Video Station's subtitle.cgi and SQL injection vulnerabilities in watchstatus.cgi and audiotrack.cgi. The command injection allows arbitrary command execution with root privileges, while the SQL injections enable arbitrary SQL statement execution with DBA privileges.

Description

SQL injection vulnerability in Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary SQL commands via the id parameter to watchstatus.cgi.

Exploits (1)

exploitdb WORKING POC
webappscgi
https://www.exploit-db.com/exploits/38128

The exploit demonstrates a command injection vulnerability in Synology Video Station's subtitle.cgi and SQL injection vulnerabilities in watchstatus.cgi and audiotrack.cgi. The command injection allows arbitrary command execution with root privileges, while the SQL injections enable arbitrary SQL statement execution with DBA privileges.

Classification
Working Poc 100%
Attack Type
Rce | Sqli
Complexity
Trivial
Reliability
Reliable
Target: Synology Video Station up to and including version 1.5-0757
No auth needed
Prerequisites: Network access to the target Synology Video Station · Public share option enabled for unauthenticated exploitation
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (5)

Core 5

Scores

EPSS 0.0243
EPSS Percentile 82.1%

Details

CWE
CWE-89
Status published
Products (1)
synology/video_station < 1.5-0757
Published Sep 11, 2015
Tracked Since Feb 18, 2026