EUVD-2025-209962
GHSA-v5xx-f9gc-j856
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Lifecycle Timeline
2DescriptionNVD
An origin validation error vulnerability in Synology Active Backup for Business Agent before 3.1.0-4967 allows local users to write arbitrary files with restricted content during installation.
AnalysisAI
Synology Active Backup for Business Agent before version 3.1.0-4967 contains an origin validation error (CWE-346) that permits local users to write arbitrary files with restricted content during the installation process, resulting in high availability impact and limited integrity compromise. The CVSS vector (AV:L/PR:N/UI:R) indicates exploitation requires local system access and user interaction - specifically, the installation must be in progress. No public exploit code has been identified and EPSS sits at 0.00%, aligning with SSVC's 'exploitation: none' assessment, indicating this is a low-urgency but legitimate local privilege abuse risk during deployment windows.
Technical ContextAI
CWE-346 (Origin Validation Error) describes a failure to verify that the source of data or a communication is legitimate before processing or acting on it. In the context of an installer for a backup agent, this class of weakness commonly manifests when the installation routine processes files or inputs without verifying their provenance - allowing a local actor to substitute or influence file content that the installer writes to restricted paths. Synology Active Backup for Business Agent (CPE-implied: synology:active_backup_for_business_agent, versions prior to 3.1.0-4967) is an endpoint agent responsible for backing up data to a Synology NAS; its installer likely runs with elevated trust, making origin validation failures during this phase impactful despite the local-only attack vector. The high availability impact (A:H) alongside low integrity impact (I:L) suggests the attacker can disrupt agent functionality or write files that cause crashes/service denial rather than full system compromise.
RemediationAI
Upgrade Synology Active Backup for Business Agent to version 3.1.0-4967 or later, as released and confirmed by Synology security advisory Synology_SA_25_16 (https://www.synology.com/en-global/security/advisory/Synology_SA_25_16). Since exploitation is limited to the installation window and requires local access, organizations that cannot immediately patch should restrict who has local console or RDP/SSH access to endpoints during agent installation - specifically, ensure that installation is performed only in controlled, single-user sessions rather than on shared or multi-user systems. As a compensating control, monitor for unexpected file writes to system paths during installation processes using endpoint detection tools; however, this does not prevent the write from occurring, only detects it post-facto. The patch is vendor-confirmed available.
More from same product – last 7 days
Remote code execution in Synology BeeStation OS versions before 1.3.2-65648 stems from a classic buffer overflow in the
Authentication bypass in Synology DiskStation Manager (DSM) SSO lets remote, unauthenticated attackers who already know
Credential disclosure in Synology C2 Identity Edge Server (DSM versions before 1.76.0-0307) allows remote unauthenticate
Volume encryption in Synology Storage Manager before version 1.0.1-1100 transmits sensitive data via HTTP GET query stri
Arbitrary file write with restricted content in Synology ActiveProtect Agent before 1.1.0-0439 is exploitable by local u
Share
External POC / Exploit Code
Leaving vuln.today