VYPR
Vypr IntelligenceAI-generatedJun 3, 2026· 5 CVEs

Synology: Five Vulnerabilities Disclosed, Including Two High-Severity Code Execution Flaws

Synology disclosed five vulnerabilities on June 3, 2026, affecting Hyper Backup, Note Station Client, and Active Backup for Business, with two rated High.

Key findings

  • Two High-severity vulnerabilities (CVE-2022-49042, CVE-2022-49036) allow local code execution.
  • Three Medium-severity vulnerabilities include Path Traversal and cleartext credential transmission.
  • Affected products include Hyper Backup, Note Station Client, and Active Backup for Business.
  • Patches are available for all disclosed vulnerabilities, with specific version updates provided.
  • The vulnerabilities were disclosed simultaneously on June 3, 2026.

Synology addressed a cluster of five vulnerabilities on June 3, 2026, impacting several of its business and data protection applications. The disclosures include two high-severity flaws that could allow local users to execute arbitrary code, alongside three medium-severity issues related to path traversal and cleartext transmission of sensitive information.

The most critical vulnerabilities, CVE-2022-49042 and CVE-2022-49036, both carry a High severity rating with a CVSSv3 score of 7.8. CVE-2022-49042, an 'inclusion of functionality from untrusted control sphere' vulnerability within the MinGW DLL component of Synology Hyper Backup Explorer (prior to version 3.0.1-0156), could permit local users to execute arbitrary code. Similarly, CVE-2022-49036, affecting the OpenSSL configuration in Synology Active Backup for Business Recovery Media Creator (prior to version 2.5.0-2081), also presents a risk of arbitrary code execution for local users due to an untrusted control sphere issue.

In addition to the code execution risks, three medium-severity vulnerabilities were also patched. CVE-2024-47273 and CVE-2024-47263 both involve 'improper limitation of a pathname to a restricted directory' (Path Traversal) within Synology Hyper Backup. These flaws, present in versions before 4.1.2-4036, allow remote authenticated users to write specific files. CVE-2024-47263 specifically notes that administrator privileges are required for this action. The third medium-severity vulnerability, CVE-2023-52951, affects the Synology Note Station Client (before version 2.2.4-703). This 'cleartext transmission of sensitive information' vulnerability could enable man-in-the-middle attackers to intercept user credentials.

Synology has released patches for all disclosed vulnerabilities. Hyper Backup has been updated to version 4.1.2-4036, Hyper Backup Explorer to 3.0.1-0156, Note Station Client to 2.2.4-703, and Active Backup for Business Recovery Media Creator to 2.5.0-2081. Users are strongly advised to update their Synology applications to the latest available versions to mitigate these security risks.

This batch of disclosures highlights ongoing security efforts by Synology to address vulnerabilities across its product suite. The presence of high-severity code execution flaws underscores the importance of timely patching for critical business applications. Users should remain vigilant and ensure their Synology devices are running the most up-to-date software to protect against potential exploitation.

AI-written article. Grounded in 5 CVE records listed below.