CVE-2025-30028

Vulnerability

CVE-2025-30028 is an SQL injection vulnerability (CWE-89) in Synology Active Backup for Business. The flaw exists in the application's handling of user-supplied input, allowing an attacker to inject arbitrary SQL commands. Affected versions include Active Backup for Business for DSM 7.2 before 2.7.1-23234, for DSM 7.1 before 2.7.1-13234, and for DSM 6.2 before 2.7.1-3234 [1].

Exploitation

An attacker can exploit this vulnerability remotely without any authentication or user interaction. By sending specially crafted HTTP requests to the vulnerable endpoint, the attacker can inject SQL queries that bypass intended restrictions. No special network position is required beyond network access to the Synology NAS running the affected service [1].

Impact

Successful exploitation allows the attacker to read arbitrary files from the underlying file system. This leads to a high confidentiality impact, as sensitive data such as configuration files, credentials, or user data may be exposed. The CVSS v3.1 base score is 8.6 (High) with the vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, indicating a scope change and no impact on integrity or availability [1].

Mitigation

Synology has released fixed versions: upgrade Active Backup for Business to 2.7.1-23234 or later for DSM 7.2, 2.7.1-13234 or later for DSM 7.1, and 2.7.1-3234 or later for DSM 6.2. No workaround is available; applying the update is the only mitigation [1].