Skip to main content

Active Backup for Business CVE-2025-30028

| EUVD-2025-209961 HIGH
SQL Injection (CWE-89)
2026-05-27 security@synology.com GHSA-7vp3-7c6g-7rvm
SQLi
8.6
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 21:01 vuln.today
Patch available
May 27, 2026 - 19:46 EUVD

DescriptionNVD

A vulnerability in Active Backup for Business allows unauthorized remote attackers to read arbitrary files.

AnalysisAI

Arbitrary file disclosure in Synology Active Backup for Business (DSM add-on package, versions before 2.7.1-3234) lets unauthenticated remote attackers read sensitive files on the host via a SQL injection flaw (CWE-89). The vulnerability scores CVSS 8.6 with a changed scope and high confidentiality impact, but EPSS estimates only a 0.04% (14th percentile) exploitation probability, and there is no public exploit identified at time of analysis nor any CISA KEV listing. Synology, who self-reported the issue, has released a fixed package.

Technical ContextAI

Active Backup for Business is Synology's enterprise backup application, distributed as an installable package that runs on DSM-based NAS appliances and backs up servers, VMs, and PCs. The root cause is classified as CWE-89 (SQL Injection) and the vendor tags it 'SQLi', meaning attacker-controlled input is concatenated into a backend database query without proper parameterization. In this case the injection is leveraged not to alter data but to read arbitrary files - consistent with the CVSS impact profile of C:H/I:N/A:N (confidentiality only), which suggests the injected query is used to coerce the database or application into returning file contents rather than to modify state. The CVSS scope-changed flag (S:C) indicates the impact reaches resources beyond the vulnerable application's own security context, such as files belonging to the underlying DSM system. No CPE strings were provided in the source data, so affected-product identification relies on the EUVD version ranges and the Synology advisory.

RemediationAI

Patch available per vendor advisory: upgrade Active Backup for Business to the fixed build for your platform - 2.7.1-3234, 2.7.1-13234, or 2.7.1-23234 or later, per the channel that matches your DSM appliance (confirm the exact target build against Synology_SA_25_02 at https://www.synology.com/en-global/security/advisory/Synology_SA_25_02). No vendor workaround is published in the available data; until the package is updated, reduce exposure by ensuring the NAS and its backup services are not reachable from the internet (restrict to a management VLAN or VPN) and by limiting inbound access to the DSM/Active Backup ports via firewall rules, accepting that this may interrupt remote backup agents or off-site backup workflows that legitimately need that connectivity. Because the flaw is unauthenticated and network-reachable, prioritize patching any appliance that is externally exposed.

Share

CVE-2025-30028 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy