Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Lifecycle Timeline
2DescriptionCVE.org
An origin validation error vulnerability in Synology Active Backup for Business Agent before 3.1.0-4967 allows local users to write arbitrary files with restricted content during installation.
AnalysisAI
Synology Active Backup for Business Agent before version 3.1.0-4967 contains an origin validation error (CWE-346) that permits local users to write arbitrary files with restricted content during the installation process, resulting in high availability impact and limited integrity compromise. The CVSS vector (AV:L/PR:N/UI:R) indicates exploitation requires local system access and user interaction - specifically, the installation must be in progress. No public exploit code has been identified and EPSS sits at 0.00%, aligning with SSVC's 'exploitation: none' assessment, indicating this is a low-urgency but legitimate local privilege abuse risk during deployment windows.
Technical ContextAI
CWE-346 (Origin Validation Error) describes a failure to verify that the source of data or a communication is legitimate before processing or acting on it. In the context of an installer for a backup agent, this class of weakness commonly manifests when the installation routine processes files or inputs without verifying their provenance - allowing a local actor to substitute or influence file content that the installer writes to restricted paths. Synology Active Backup for Business Agent (CPE-implied: synology:active_backup_for_business_agent, versions prior to 3.1.0-4967) is an endpoint agent responsible for backing up data to a Synology NAS; its installer likely runs with elevated trust, making origin validation failures during this phase impactful despite the local-only attack vector. The high availability impact (A:H) alongside low integrity impact (I:L) suggests the attacker can disrupt agent functionality or write files that cause crashes/service denial rather than full system compromise.
RemediationAI
Upgrade Synology Active Backup for Business Agent to version 3.1.0-4967 or later, as released and confirmed by Synology security advisory Synology_SA_25_16 (https://www.synology.com/en-global/security/advisory/Synology_SA_25_16). Since exploitation is limited to the installation window and requires local access, organizations that cannot immediately patch should restrict who has local console or RDP/SSH access to endpoints during agent installation - specifically, ensure that installation is performed only in controlled, single-user sessions rather than on shared or multi-user systems. As a compensating control, monitor for unexpected file writes to system paths during installation processes using endpoint detection tools; however, this does not prevent the write from occurring, only detects it post-facto. The patch is vendor-confirmed available.
webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before
Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authe
An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allo
Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary shell commands via shell metacharact
Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before
An information exposure vulnerability in index.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remot
Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allo
A vulnerability in synotheme_upload.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers
Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to exec
Directory traversal vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 all
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to acce
Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Task Manager
Same weakness CWE-346 – Origin Validation Error
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209962
GHSA-v5xx-f9gc-j856