CVE-2017-11155

HIGH

Synology Photo Station < 6.7.3-3432 and 6.3-2967 - Exposure of Sensitive System Information via index.php

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-11155. PoCs published by Kacper Szurek.

AI-analyzed exploit summary This exploit chains multiple vulnerabilities in Synology Photo Station to achieve remote code execution. It involves session manipulation, arbitrary file upload, and path traversal to execute PHP code as the PhotoStation user.

Description

An information exposure vulnerability in index.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to obtain sensitive system information via unspecified vectors.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Kacper Szurek · pythonwebappshardware
https://www.exploit-db.com/exploits/42434

This exploit chains multiple vulnerabilities in Synology Photo Station to achieve remote code execution. It involves session manipulation, arbitrary file upload, and path traversal to execute PHP code as the PhotoStation user.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Synology Photo Station (versions affected by CVE-2017-11155)
No auth needed
Prerequisites: Network access to the target Synology Photo Station · Knowledge of the target IP address
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42434/

Scores

CVSS v3 7.5
EPSS 0.4457
EPSS Percentile 98.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200 CWE-205
Status published
Products (3)
synology/photo_station 6.3-2967
synology/photo_station < 6.7.2-3429
Synology/Synology Photo Station before 6.7.3-3432 and 6.3-2967
Published Aug 08, 2017
Tracked Since Feb 18, 2026