Description
An inclusion of functionality from untrusted control sphere vulnerability in OpenSSL configuration in Synology Active Backup for Business Recovery Media Creator before 2.5.0-2081 allows local users to execute arbitrary code via unspecified vectors.
Published: 2026-06-03
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inclusion of functionality from an untrusted control sphere has caused a vulnerability in the OpenSSL configuration within Synology Active Backup for Business Recovery Media Creator. The flaw, identified as CWE-829, allows local users to execute arbitrary code through unspecified vectors, potentially enabling full control over the affected device.

Affected Systems

All installations of Synology Active Backup for Business Recovery Media Creator with versions prior to 2.5.0-2081 are affected. No other vendors or products were reported as impacted.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity threat, while the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Because the vector is local, the risk is concentrated against internal actors or individuals with physical or local network access, and could facilitate system compromise if exploited.

Generated by OpenCVE AI on June 3, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Synology Active Backup for Business Recovery Media Creator to version 2.5.0-2081 or later.
  • If an immediate update is not possible, limit local user permissions and restrict access to the OpenSSL configuration components used by the application.
  • Monitor logs for unusual local process creation or privilege escalation attempts to detect potential exploitation.

Generated by OpenCVE AI on June 3, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Title Local Code Execution via Untrusted OpenSSL Configuration in Synology Active Backup for Business Recovery Media Creator

Wed, 03 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description An inclusion of functionality from untrusted control sphere vulnerability in OpenSSL configuration in Synology Active Backup for Business Recovery Media Creator before 2.5.0-2081 allows local users to execute arbitrary code via unspecified vectors.
Weaknesses CWE-829
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: synology

Published:

Updated: 2026-06-03T15:50:14.277Z

Reserved: 2024-09-24T08:40:22.263Z

Link: CVE-2022-49036

cve-icon Vulnrichment

Updated: 2026-06-03T15:50:10.555Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-03T14:16:24.997

Modified: 2026-06-04T15:35:18.623

Link: CVE-2022-49036

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T15:30:26Z

Weaknesses