CVE-2025-30028
Unauthorized File Read in Synology Active Backup for Business
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: Synology Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| synology | active_backup_for_business | to 2.7.1-3234 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Synology Active Backup for Business and allows unauthorized remote attackers to read arbitrary files on the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the vulnerability in Active Backup for Business impacts compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive information because attackers can remotely read arbitrary files without any privileges or user interaction.
According to the CVSS v3.1 score of 8.6, this is a high-severity issue with network attack vector, low attack complexity, no privileges required, no user interaction, and it impacts confidentiality with a high impact.