Attack Chain

1. An unauthenticated attacker sends a crafted HTTP request to the Active Backup for Business server.
2. The request exploits an SQL injection vulnerability within the application’s handling of user-supplied input.
3. The injected SQL code bypasses authentication and authorization checks.
4. The attacker crafts the SQL injection payload to read arbitrary files from the file system.
5. The application executes the malicious SQL query against the database.
6. The database returns the contents of the requested file to the application.
7. The application sends the contents of the file back to the attacker in the HTTP response.
8. The attacker obtains unauthorized access to sensitive data stored on the server.

Impact

Successful exploitation of CVE-2025-30028 allows unauthorized remote attackers to read arbitrary files on a Synology Active Backup for Business server. This could lead to the exposure of sensitive data, including backup configurations, user credentials, and protected data stored within the backups. The vulnerability has a CVSS v3.1 score of 8.6, indicating a high severity.

Recommendation

• Apply the security update provided by Synology as detailed in their advisory: https://www.synology.com/en-global/security/advisory/Synology_SA_25_02.
• Deploy the Sigma rule provided below to detect potential exploitation attempts against Active Backup for Business.
• Monitor web server logs for suspicious SQL injection attempts targeting Active Backup for Business endpoints using the provided Sigma rule.