Description
An inclusion of functionality from untrusted control sphere vulnerability in MinGW DLL component in Synology Hyper Backup Explorer before 3.0.1-0156 allows local users to execute arbitrary code via unspecified vectors.
Published: 2026-06-03
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Synology Hyper Backup Explorer contains a flaw where inclusion of functionality from an untrusted control sphere in the MinGW DLL component allows local users to execute arbitrary code. The vulnerability is classified as a failure to restrict or deactivate functionality (CWE-829), giving an attacker the ability to run malicious code with the privileges of the local user. This can compromise the integrity and confidentiality of the system, potentially leading to full system compromise if the user has elevated rights.

Affected Systems

Versions of Synology Hyper Backup Explorer older than 3.0.1-0156 are affected. Users running the seized MinGW DLL component are at risk. The issue does not affect other Synology products directly, only the Hyper Backup Explorer application.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, while the EPSS score is not provided, suggesting insufficient publicly available data on exploitation frequency. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is local, requiring that the attacker have local user access to the system. If such access is obtained, arbitrary code execution can occur without additional network exploitation.

Generated by OpenCVE AI on June 3, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Hyper Backup Explorer to version 3.0.1‑0156 or later as described in Synology’s release notes, which removes the vulnerable MinGW DLL component.
  • If an update cannot be performed immediately, remove or disable the vulnerable MinGW DLL file until a patch is applied to prevent local code execution.
  • Restrict local user accounts that have access to Hyper Backup Explorer, granting only the minimum privileges needed, and audit system activity for suspicious execution attempts.

Generated by OpenCVE AI on June 3, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Title Local Code Execution Vulnerability in Synology Hyper Backup Explorer Due to Untrusted MinGW DLL Inclusion

Wed, 03 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description An inclusion of functionality from untrusted control sphere vulnerability in MinGW DLL component in Synology Hyper Backup Explorer before 3.0.1-0156 allows local users to execute arbitrary code via unspecified vectors.
Weaknesses CWE-829
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: synology

Published:

Updated: 2026-06-03T13:23:29.734Z

Reserved: 2024-09-24T08:40:22.264Z

Link: CVE-2022-49042

cve-icon Vulnrichment

Updated: 2026-06-03T15:49:46.291Z

cve-icon NVD

Status : Received

Published: 2026-06-03T14:16:25.530

Modified: 2026-06-03T14:16:25.530

Link: CVE-2022-49042

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T16:00:16Z

Weaknesses