Description
A vulnerability in Active Backup for Business allows unauthorized remote attackers to read arbitrary files.
Published: 2026-05-27
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Active Backup for Business contains a vulnerability that allows remote attackers to read arbitrary files. The weakness is identified as an injection flaw (CWE‑89), indicating that malicious input can manipulate database queries or other processing paths to disclose data. This yields a confidentiality breach, potentially exposing sensitive configuration, credentials, or backup content, though no denial of service or code execution is noted.

Affected Systems

Synology Active Backup for Business is affected. No specific version information is provided in the advisory, so all deployed instances are treated as vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 8.6 classifies the vulnerability as high severity. EPSS is not available, but the CVE is not listed in the CISA KEV catalog, indicating that large‑scale exploitation has not yet been confirmed. The attack vector is inferred to be remote, requiring network access to the Active Backup service, and relies on the injection flaw to read files without authentication. While the required conditions are relatively simple, the potential impact on data confidentiality is substantial.

Generated by OpenCVE AI on May 27, 2026 at 10:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided patch or upgrade to the latest version of Synology Active Backup for Business
  • Restrict access to the Active Backup for Business service by configuring firewall rules to allow only trusted hosts
  • Monitor and audit logs for anomalous file read attempts to detect potential exploitation attempts

Generated by OpenCVE AI on May 27, 2026 at 10:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Title Remote File Read Vulnerability in Synology Active Backup for Business

Wed, 27 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Synology
Synology active Backup For Business
Vendors & Products Synology
Synology active Backup For Business

Wed, 27 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description A vulnerability in Active Backup for Business allows unauthorized remote attackers to read arbitrary files.
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Synology Active Backup For Business
cve-icon MITRE

Status: PUBLISHED

Assigner: synology

Published:

Updated: 2026-05-27T08:40:46.699Z

Reserved: 2025-03-14T08:18:10.204Z

Link: CVE-2025-30028

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-27T09:16:27.370

Modified: 2026-05-27T09:16:27.370

Link: CVE-2025-30028

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T11:00:13Z

Weaknesses