EUVD-2025-209958
GHSA-r6c2-6c2c-g3cg
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Lifecycle Timeline
2DescriptionNVD
Origin validation error vulnerability in Synology ActiveProtect Agent before 1.1.0-0439 allows local users to write arbitrary files with restricted content when installing.
AnalysisAI
Arbitrary file write with restricted content in Synology ActiveProtect Agent before 1.1.0-0439 is exploitable by local users during the installation process due to an origin validation error (CWE-346). The CVSS vector (AV:L/AC:L/PR:N/UI:R) indicates a low-complexity local attack requiring user interaction - consistent with exploitation during an installation workflow - and scores high on availability impact (A:H) while integrity impact is limited (I:L), suggesting the file write can disrupt system stability despite content restrictions. No public exploit code exists and CISA SSVC rates exploitation as none with partial technical impact.
Technical ContextAI
CWE-346 (Origin Validation Error) describes failures where software does not properly verify that a resource or message originates from a trusted, expected source. In this context, the Synology ActiveProtect Agent installer does not correctly validate the origin of files or data being written during setup, allowing a local user to influence the write destination or content. The affected product is Synology ActiveProtect Agent, a backup and data protection agent component within Synology's ActiveProtect appliance ecosystem. The CPE-equivalent scope per EUVD is all versions of ActiveProtect Agent prior to 1.1.0-0439. The CVSS vector's PR:N (no privileges required) combined with AV:L (local) suggests the attacker needs only local system access - not administrative rights - but does require user interaction (UI:R), most plausibly the execution of the installer itself. The 'restricted content' qualifier in the description implies the attacker cannot write fully arbitrary content but can still influence writes to potentially sensitive paths, explaining the asymmetry between A:H and I:L scores.
RemediationAI
Upgrade Synology ActiveProtect Agent to version 1.1.0-0439 or later, which contains the vendor-released fix per Synology Security Advisory SA_25_15 (https://www.synology.com/en-global/security/advisory/Synology_SA_25_15). As a compensating control prior to patching, restrict local user access on systems where ActiveProtect Agent installations are performed - specifically, limit which accounts can initiate the installation process, reducing the pool of potential exploiters (trade-off: operational friction for administrators). Additionally, run installations only in trusted, isolated environments where untrusted local users are not present. Since UI:R is required, avoiding execution of the installer in multi-user sessions provides marginal additional protection. No workaround that eliminates the origin validation flaw short of patching has been confirmed by the vendor.
More from same product – last 7 days
Remote code execution in Synology BeeStation OS versions before 1.3.2-65648 stems from a classic buffer overflow in the
Authentication bypass in Synology DiskStation Manager (DSM) SSO lets remote, unauthenticated attackers who already know
Credential disclosure in Synology C2 Identity Edge Server (DSM versions before 1.76.0-0307) allows remote unauthenticate
Volume encryption in Synology Storage Manager before version 1.0.1-1100 transmits sensitive data via HTTP GET query stri
Synology Active Backup for Business Agent before version 3.1.0-4967 contains an origin validation error (CWE-346) that p
Share
External POC / Exploit Code
Leaving vuln.today