{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/synology/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.6,"id":"CVE-2025-30028"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Active Backup for Business"],"_cs_severities":["high"],"_cs_tags":["cve-2025-30028","sql-injection","synology"],"_cs_type":"advisory","_cs_vendors":["Synology"],"content_html":"\u003cp\u003eCVE-2025-30028 is a security vulnerability affecting Synology Active Backup for Business. This vulnerability allows unauthorized remote attackers to read arbitrary files on the system. The root cause is an Improper Neutralization of Special Elements used in an SQL Command, also known as SQL Injection. An attacker can exploit this vulnerability without authentication, posing a significant risk to the confidentiality of data stored within Active Backup for Business. This vulnerability was disclosed on May 27, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted HTTP request to the Active Backup for Business server.\u003c/li\u003e\n\u003cli\u003eThe request exploits an SQL injection vulnerability within the application\u0026rsquo;s handling of user-supplied input.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code bypasses authentication and authorization checks.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts the SQL injection payload to read arbitrary files from the file system.\u003c/li\u003e\n\u003cli\u003eThe application executes the malicious SQL query against the database.\u003c/li\u003e\n\u003cli\u003eThe database returns the contents of the requested file to the application.\u003c/li\u003e\n\u003cli\u003eThe application sends the contents of the file back to the attacker in the HTTP response.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains unauthorized access to sensitive data stored on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-30028 allows unauthorized remote attackers to read arbitrary files on a Synology Active Backup for Business server. This could lead to the exposure of sensitive data, including backup configurations, user credentials, and protected data stored within the backups. The vulnerability has a CVSS v3.1 score of 8.6, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Synology as detailed in their advisory: \u003ca href=\"https://www.synology.com/en-global/security/advisory/Synology_SA_25_02\"\u003ehttps://www.synology.com/en-global/security/advisory/Synology_SA_25_02\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect potential exploitation attempts against Active Backup for Business.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious SQL injection attempts targeting Active Backup for Business endpoints using the provided Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T09:18:13Z","date_published":"2026-05-27T09:18:13Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2025-30028/","summary":"CVE-2025-30028 is a vulnerability in Synology Active Backup for Business that allows unauthorized remote attackers to read arbitrary files due to improper neutralization of special elements used in an SQL Command ('SQL Injection').","title":"CVE-2025-30028: Synology Active Backup for Business Arbitrary File Read","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2025-30028/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-13392"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["DiskStation Manager (DSM) \u003c 7.2.2-72806-5","DiskStation Manager (DSM) \u003c 7.3.1-86003-1"],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","cve-2025-13392","synology"],"_cs_type":"advisory","_cs_vendors":["Synology"],"content_html":"\u003cp\u003eCVE-2025-13392 describes an authentication bypass vulnerability affecting the SSO component of Synology DiskStation Manager (DSM). The vulnerability exists in versions prior to 7.2.2-72806-5 and 7.3.1-86003-1, while version 7.2.1-69057 is not affected. A remote attacker with prior knowledge of the distinguished name (DN) can exploit this flaw to bypass authentication. This vulnerability enables unauthorized access to Synology DiskStation Manager devices. Successful exploitation allows attackers to gain administrative access to the device and the data it stores. Given the widespread use of Synology NAS devices for both personal and business data storage, this vulnerability poses a significant risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Synology DSM instance running a version prior to 7.2.2-72806-5 or 7.3.1-86003-1.\u003c/li\u003e\n\u003cli\u003eAttacker obtains the distinguished name (DN) of a valid user account. This could be achieved through reconnaissance or data breaches.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious authentication request to the SSO service, leveraging the improper checks for unusual or exceptional conditions.\u003c/li\u003e\n\u003cli\u003eThe crafted request utilizes the known DN to bypass the authentication process.\u003c/li\u003e\n\u003cli\u003eThe SSO service incorrectly validates the malicious authentication request.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the DSM instance with the privileges associated with the user whose DN was used.\u003c/li\u003e\n\u003cli\u003eThe attacker can now access and modify files, settings, and configurations within the DSM.\u003c/li\u003e\n\u003cli\u003eThe attacker can install malware, exfiltrate sensitive data, or disrupt services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-13392 allows remote attackers to bypass authentication on Synology DiskStation Manager (DSM) devices. This can lead to complete compromise of the device and the data stored on it, including sensitive personal and business information. The impact can range from data theft and ransomware attacks to disruption of critical services provided by the NAS. Given the high CVSS score of 8.1, this vulnerability is considered a critical threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Synology DiskStation Manager (DSM) to versions 7.2.2-72806-5 or 7.3.1-86003-1, or later to patch CVE-2025-13392.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious authentication attempts to the Synology DSM SSO service. Deploy the Sigma rules provided to detect anomalous SSO authentication patterns.\u003c/li\u003e\n\u003cli\u003eImplement strong password policies and multi-factor authentication to mitigate the impact of potential credential compromise, although this vulnerability bypasses authentication entirely with a known DN.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T09:17:49Z","date_published":"2026-05-27T09:17:49Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2025-13392-dsm-auth-bypass/","summary":"Synology DiskStation Manager (DSM) before 7.2.2-72806-5 and 7.3.1-86003-1 is vulnerable to improper checks for unusual or exceptional conditions in SSO, allowing remote attackers to bypass authentication with prior knowledge of the distinguished name (DN).","title":"CVE-2025-13392 - Synology DiskStation Manager (DSM) Authentication Bypass","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2025-13392-dsm-auth-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2023-52945"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BeeDrive for desktop"],"_cs_severities":["high"],"_cs_tags":["dll-hijacking","privilege-escalation","cve-2023-52945"],"_cs_type":"advisory","_cs_vendors":["Synology"],"content_html":"\u003cp\u003eSynology BeeDrive for desktop is susceptible to an uncontrolled search path element vulnerability in its OpenSSL DLL component. This flaw, identified as CVE-2023-52945, allows a local attacker to execute arbitrary code on the system. The vulnerability exists in versions prior to 1.3.2-13814. An attacker can exploit this by placing a malicious OpenSSL DLL in a directory that BeeDrive searches before the legitimate system directory. Due to the BeeDrive application loading the DLL, the attacker\u0026rsquo;s code will be executed within the context of the BeeDrive process, potentially granting them elevated privileges or access to sensitive data. This vulnerability poses a significant risk to systems where BeeDrive is installed, as it can be exploited to compromise the system\u0026rsquo;s integrity and confidentiality.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies that Synology BeeDrive loads an OpenSSL DLL component.\u003c/li\u003e\n\u003cli\u003eThe attacker determines the DLL search order used by BeeDrive, likely by observing process monitor logs.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a malicious OpenSSL DLL that contains arbitrary code to be executed.\u003c/li\u003e\n\u003cli\u003eThe attacker places the malicious DLL in a directory that BeeDrive searches before the legitimate OpenSSL DLL location (e.g., the application directory, a user-controlled directory in the system\u0026rsquo;s PATH).\u003c/li\u003e\n\u003cli\u003eThe attacker launches Synology BeeDrive.\u003c/li\u003e\n\u003cli\u003eBeeDrive loads the malicious OpenSSL DLL from the attacker-controlled directory instead of the legitimate one.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s arbitrary code within the malicious DLL is executed within the context of the BeeDrive process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the BeeDrive process and can perform actions such as escalating privileges, stealing credentials, or installing malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2023-52945 allows a local user to execute arbitrary code with the privileges of the BeeDrive application. This could lead to complete system compromise, including data theft, installation of malware, or denial of service. Since the vulnerability can be exploited by any local user, it increases the attack surface for privilege escalation. The impact is high due to the potential for arbitrary code execution and the ease of exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Synology BeeDrive for desktop to version 1.3.2-13814 or later to patch CVE-2023-52945.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring for BeeDrive\u0026rsquo;s installation directory to detect unauthorized DLL modifications.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect BeeDrive Suspicious DLL Loading\u003c/code\u003e to identify potentially malicious DLLs loaded by BeeDrive.\u003c/li\u003e\n\u003cli\u003eEnforce strict access control policies to limit user access to sensitive directories and files, mitigating the impact of local privilege escalation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T09:17:32Z","date_published":"2026-05-27T09:17:32Z","id":"https://feed.craftedsignal.io/briefs/2026-05-synology-beedrive-dll-hijacking/","summary":"Synology BeeDrive for desktop before 1.3.2-13814 is vulnerable to an uncontrolled search path element, allowing local users to execute arbitrary code through a maliciously placed OpenSSL DLL component.","title":"Synology BeeDrive DLL Hijacking Vulnerability (CVE-2023-52945)","url":"https://feed.craftedsignal.io/briefs/2026-05-synology-beedrive-dll-hijacking/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2025-12686"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BeeStation Manager (BSM) before 1.3.2-65648","BeeStation OS before 1.3.2-65648","AdminCenter"],"_cs_severities":["critical"],"_cs_tags":["cve-2025-12686","buffer-overflow","remote-code-execution","synology"],"_cs_type":"advisory","_cs_vendors":["Synology"],"content_html":"\u003cp\u003eCVE-2025-12686 describes a critical buffer overflow vulnerability affecting the AdminCenter component within Synology BeeStation Manager (BSM) and BeeStation OS. This vulnerability, present in versions prior to 1.3.2-65648, allows remote attackers to execute arbitrary code on the affected system. Due to insufficient input validation during buffer copying operations, an attacker can potentially overwrite memory regions, leading to arbitrary code execution. This vulnerability poses a significant risk to BeeStation devices, potentially allowing attackers to gain complete control of the device and any data stored on it.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable BeeStation device running a version of BeeStation Manager (BSM) or BeeStation OS prior to 1.3.2-65648.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious input designed to exploit the buffer overflow within the AdminCenter component. The specific attack vector is unspecified, but involves sending data to AdminCenter.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted input to the vulnerable AdminCenter component.\u003c/li\u003e\n\u003cli\u003eThe AdminCenter component processes the input without properly validating its size.\u003c/li\u003e\n\u003cli\u003eThe input overflows the allocated buffer during a copy operation, overwriting adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites critical memory locations, such as function return addresses or code pointers, with attacker-controlled values.\u003c/li\u003e\n\u003cli\u003eWhen the function attempts to return or execute the overwritten code pointer, control is transferred to the attacker\u0026rsquo;s code.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the BeeStation device, potentially gaining full system control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-12686 allows a remote attacker to execute arbitrary code on a vulnerable Synology BeeStation device. This can lead to complete system compromise, including unauthorized access to sensitive data, modification of system settings, and the potential use of the device as a foothold for further attacks within the network. Given the high CVSS score of 9.8, the impact of this vulnerability is considered critical.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Synology BeeStation Manager (BSM) and BeeStation OS to version 1.3.2-65648 or later to patch CVE-2025-12686.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious activity targeting BeeStation devices, such as unusually large requests to AdminCenter, to potentially detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rules to detect potential exploitation attempts (see below).\u003c/li\u003e\n\u003cli\u003eReview Synology\u0026rsquo;s security advisory Synology_SA_25_12 for further mitigation guidance.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T09:17:16Z","date_published":"2026-05-27T09:17:16Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2025-12686-beestation-overflow/","summary":"A buffer overflow vulnerability exists in the AdminCenter component of Synology BeeStation Manager (BSM) and BeeStation OS before version 1.3.2-65648, allowing remote attackers to execute arbitrary code through unspecified vectors (CVE-2025-12686).","title":"CVE-2025-12686 - Synology BeeStation Manager and OS AdminCenter Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2025-12686-beestation-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Synology","version":"https://jsonfeed.org/version/1.1"}