CVE-2025-30028

HIGH

Synology Active Backup For Business - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Title source: rule
STIX 2.1

Description

A vulnerability in Active Backup for Business allows unauthorized remote attackers to read arbitrary files.

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory
Synology-SA-25:02 Active Backup for Business
https://www.synology.com/en-global/security/advisory/Synology_SA_25_02

Scores

CVSS v3 8.6
EPSS 0.0037
EPSS Percentile 28.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (6)
Synology/Active Backup for Business < 2.7.1-13234
Synology/Active Backup for Business < 2.7.1-23234
Synology/Active Backup for Business < 2.7.1-3234
synology/active_backup_for_business 2.7.1-23234
synology/active_backup_for_business 2.7.1-13234
synology/active_backup_for_business 2.7.1-3234
Published May 27, 2026
Tracked Since May 27, 2026