Description
Origin validation error vulnerability in Synology ActiveProtect Agent before 1.1.0-0439 allows local users to write arbitrary files with restricted content when installing.
Published: 2026-05-27
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from an origin validation error in the Synology ActiveProtect Agent. This flaw allows a local user to install the agent and place arbitrary files with restricted content on the system. The issue is identified as CWE‑346, indicating that the software lacks proper access control when validating incoming installation data, which can be abused to write files that have potentially malicious or unintended content.

Affected Systems

Synology ActiveProtect Agent versions prior to 1.1.0-0439 are affected. The vulnerability applies to installations performed by any local user with sufficient privileges to run the agent’s installer on Synology devices.

Risk and Exploitability

The CVSS score of 6.1 reflects medium severity, and the EPSS score is currently unavailable, making it unclear how frequently this flaw is exploited in the wild. The vulnerability is not listed in CISA’s KEV catalog. Because the attack requires local installation privileges, the risk is limited to users with such permissions, but unrestricted file write capabilities can lead to broader system impacts if abused.

Generated by OpenCVE AI on May 27, 2026 at 10:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ActiveProtect Agent to version 1.1.0-0439 or later, as released by Synology.
  • Limit the installation of the agent to trusted administrators by enforcing role‑based access controls and disabling installation rights for other users.
  • If the agent is not required, uninstall it or ensure that its installer and installation directories are inaccessible to non‑admin users.

Generated by OpenCVE AI on May 27, 2026 at 10:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description Origin validation error vulnerability in Synology ActiveProtect Agent before 1.1.0-0439 allows local users to write arbitrary files with restricted content when installing.
Weaknesses CWE-346
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: synology

Published:

Updated: 2026-05-27T08:38:27.318Z

Reserved: 2025-11-24T06:58:48.721Z

Link: CVE-2025-13593

cve-icon Vulnrichment

Updated: 2026-05-27T12:49:08.004Z

cve-icon NVD

Status : Received

Published: 2026-05-27T09:16:26.730

Modified: 2026-05-27T09:16:26.730

Link: CVE-2025-13593

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T11:00:13Z

Weaknesses