CVE-2017-11153

CRITICAL

Synology Photo Station < 6.7.3-3432 RCE via Deserialization in synophoto_csPhotoMisc.php

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-11153. PoCs published by Kacper Szurek.

AI-analyzed exploit summary This exploit chains multiple vulnerabilities in Synology Photo Station to achieve remote code execution. It involves session manipulation, arbitrary file upload, and path traversal to execute PHP code as the PhotoStation user.

Description

Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to gain administrator privileges via a crafted serialized payload.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Kacper Szurek · pythonwebappshardware
https://www.exploit-db.com/exploits/42434

This exploit chains multiple vulnerabilities in Synology Photo Station to achieve remote code execution. It involves session manipulation, arbitrary file upload, and path traversal to execute PHP code as the PhotoStation user.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Synology Photo Station (versions affected by CVE-2017-11155)
No auth needed
Prerequisites: Network access to the target Synology Photo Station · Knowledge of the target IP address
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42434/

Scores

CVSS v3 9.8
EPSS 0.1910
EPSS Percentile 97.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-502
Status published
Products (3)
synology/photo_station 6.3-2967
synology/photo_station < 6.7.2-3429
Synology/Synology Photo Station before 6.7.3-3432 and 6.3-2967
Published Aug 08, 2017
Tracked Since Feb 18, 2026