Skip to content
Threat Feed
high advisory

CVE-2025-30028: Synology Active Backup for Business Arbitrary File Read

CVE-2025-30028 is a vulnerability in Synology Active Backup for Business that allows unauthorized remote attackers to read arbitrary files due to improper neutralization of special elements used in an SQL Command ('SQL Injection').

CVE-2025-30028 is a security vulnerability affecting Synology Active Backup for Business. This vulnerability allows unauthorized remote attackers to read arbitrary files on the system. The root cause is an Improper Neutralization of Special Elements used in an SQL Command, also known as SQL Injection. An attacker can exploit this vulnerability without authentication, posing a significant risk to the confidentiality of data stored within Active Backup for Business. This vulnerability was disclosed on May 27, 2026.

Attack Chain

  1. An unauthenticated attacker sends a crafted HTTP request to the Active Backup for Business server.
  2. The request exploits an SQL injection vulnerability within the application’s handling of user-supplied input.
  3. The injected SQL code bypasses authentication and authorization checks.
  4. The attacker crafts the SQL injection payload to read arbitrary files from the file system.
  5. The application executes the malicious SQL query against the database.
  6. The database returns the contents of the requested file to the application.
  7. The application sends the contents of the file back to the attacker in the HTTP response.
  8. The attacker obtains unauthorized access to sensitive data stored on the server.

Impact

Successful exploitation of CVE-2025-30028 allows unauthorized remote attackers to read arbitrary files on a Synology Active Backup for Business server. This could lead to the exposure of sensitive data, including backup configurations, user credentials, and protected data stored within the backups. The vulnerability has a CVSS v3.1 score of 8.6, indicating a high severity.

Recommendation

  • Apply the security update provided by Synology as detailed in their advisory: https://www.synology.com/en-global/security/advisory/Synology_SA_25_02.
  • Deploy the Sigma rule provided below to detect potential exploitation attempts against Active Backup for Business.
  • Monitor web server logs for suspicious SQL injection attempts targeting Active Backup for Business endpoints using the provided Sigma rule.

Detection coverage 2

Detects CVE-2025-30028 Exploitation — SQL Injection in Active Backup for Business

high

Detects CVE-2025-30028 exploitation attempts via SQL injection in Synology Active Backup for Business by monitoring for suspicious SQL commands in HTTP requests.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detects CVE-2025-30028 Exploitation - Suspicious Characters in URI

medium

Detects CVE-2025-30028 exploitation attempts via SQL injection by detecting unusual characters often used in SQL injection attacks within the URI.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detection queries are available on the platform. Get full rules →