Skip to main content

Active Backup Agent CVE-2025-66592

| EUVDEUVD-2025-209962 MEDIUM
Origin Validation Error (CWE-346)
2026-05-27 security@synology.com GHSA-v5xx-f9gc-j856
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 22:23 vuln.today
Patch available
May 27, 2026 - 19:46 EUVD

DescriptionCVE.org

An origin validation error vulnerability in Synology Active Backup for Business Agent before 3.1.0-4967 allows local users to write arbitrary files with restricted content during installation.

AnalysisAI

Synology Active Backup for Business Agent before version 3.1.0-4967 contains an origin validation error (CWE-346) that permits local users to write arbitrary files with restricted content during the installation process, resulting in high availability impact and limited integrity compromise. The CVSS vector (AV:L/PR:N/UI:R) indicates exploitation requires local system access and user interaction - specifically, the installation must be in progress. No public exploit code has been identified and EPSS sits at 0.00%, aligning with SSVC's 'exploitation: none' assessment, indicating this is a low-urgency but legitimate local privilege abuse risk during deployment windows.

Technical ContextAI

CWE-346 (Origin Validation Error) describes a failure to verify that the source of data or a communication is legitimate before processing or acting on it. In the context of an installer for a backup agent, this class of weakness commonly manifests when the installation routine processes files or inputs without verifying their provenance - allowing a local actor to substitute or influence file content that the installer writes to restricted paths. Synology Active Backup for Business Agent (CPE-implied: synology:active_backup_for_business_agent, versions prior to 3.1.0-4967) is an endpoint agent responsible for backing up data to a Synology NAS; its installer likely runs with elevated trust, making origin validation failures during this phase impactful despite the local-only attack vector. The high availability impact (A:H) alongside low integrity impact (I:L) suggests the attacker can disrupt agent functionality or write files that cause crashes/service denial rather than full system compromise.

RemediationAI

Upgrade Synology Active Backup for Business Agent to version 3.1.0-4967 or later, as released and confirmed by Synology security advisory Synology_SA_25_16 (https://www.synology.com/en-global/security/advisory/Synology_SA_25_16). Since exploitation is limited to the installation window and requires local access, organizations that cannot immediately patch should restrict who has local console or RDP/SSH access to endpoints during agent installation - specifically, ensure that installation is performed only in controlled, single-user sessions rather than on shared or multi-user systems. As a compensating control, monitor for unexpected file writes to system paths during installation processes using endpoint detection tools; however, this does not prevent the write from occurring, only detects it post-facto. The patch is vendor-confirmed available.

CVE-2013-6955 CRITICAL POC
10.0 Jan 09

webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before

CVE-2017-15889 HIGH POC
8.8 Dec 04

Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authe

CVE-2017-9554 MEDIUM POC
5.3 Jul 24

An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allo

CVE-2015-6912 CRITICAL POC
10.0 Sep 11

Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary shell commands via shell metacharact

CVE-2013-6987 HIGH POC
7.5 Dec 31

Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before

CVE-2017-11155 HIGH POC
7.5 Aug 08

An information exposure vulnerability in index.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remot

CVE-2017-11153 CRITICAL POC
9.8 Aug 08

Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allo

CVE-2017-11151 CRITICAL POC
9.8 Aug 08

A vulnerability in synotheme_upload.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers

CVE-2016-10329 CRITICAL POC
9.8 May 12

Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to exec

CVE-2017-11152 HIGH POC
7.5 Aug 08

Directory traversal vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 all

CVE-2020-27655 CRITICAL POC
10.0 Oct 29

Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to acce

CVE-2024-10443 CRITICAL POC
9.8 Nov 15

Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Task Manager

Share

CVE-2025-66592 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy