https://feed.craftedsignal.io/vendors/synology/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 27 May 2026 09:18:13 +0000https://feed.craftedsignal.io/briefs/2026-05-cve-2025-30028/Wed, 27 May 2026 09:18:13 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2025-30028/CVE-2025-30028 is a vulnerability in Synology Active Backup for Business that allows unauthorized remote attackers to read arbitrary files due to improper neutralization of special elements used in an SQL Command ('SQL Injection').CVE-2025-30028 is a security vulnerability affecting Synology Active Backup for Business. This vulnerability allows unauthorized remote attackers to read arbitrary files on the system. The root cause is an Improper Neutralization of Special Elements used in an SQL Command, also known as SQL Injection. An attacker can exploit this vulnerability without authentication, posing a significant risk to the confidentiality of data stored within Active Backup for Business. This vulnerability was disclosed on May 27, 2026.

Attack Chain

1. An unauthenticated attacker sends a crafted HTTP request to the Active Backup for Business server.
2. The request exploits an SQL injection vulnerability within the application’s handling of user-supplied input.
3. The injected SQL code bypasses authentication and authorization checks.
4. The attacker crafts the SQL injection payload to read arbitrary files from the file system.
5. The application executes the malicious SQL query against the database.
6. The database returns the contents of the requested file to the application.
7. The application sends the contents of the file back to the attacker in the HTTP response.
8. The attacker obtains unauthorized access to sensitive data stored on the server.

Impact

Successful exploitation of CVE-2025-30028 allows unauthorized remote attackers to read arbitrary files on a Synology Active Backup for Business server. This could lead to the exposure of sensitive data, including backup configurations, user credentials, and protected data stored within the backups. The vulnerability has a CVSS v3.1 score of 8.6, indicating a high severity.

Recommendation

• Apply the security update provided by Synology as detailed in their advisory: https://www.synology.com/en-global/security/advisory/Synology_SA_25_02.
• Deploy the Sigma rule provided below to detect potential exploitation attempts against Active Backup for Business.
• Monitor web server logs for suspicious SQL injection attempts targeting Active Backup for Business endpoints using the provided Sigma rule.

]]>highadvisorycve-2025-30028sql-injectionsynologyhttps://feed.craftedsignal.io/briefs/2026-05-cve-2025-13392-dsm-auth-bypass/Wed, 27 May 2026 09:17:49 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2025-13392-dsm-auth-bypass/Synology DiskStation Manager (DSM) before 7.2.2-72806-5 and 7.3.1-86003-1 is vulnerable to improper checks for unusual or exceptional conditions in SSO, allowing remote attackers to bypass authentication with prior knowledge of the distinguished name (DN).CVE-2025-13392 describes an authentication bypass vulnerability affecting the SSO component of Synology DiskStation Manager (DSM). The vulnerability exists in versions prior to 7.2.2-72806-5 and 7.3.1-86003-1, while version 7.2.1-69057 is not affected. A remote attacker with prior knowledge of the distinguished name (DN) can exploit this flaw to bypass authentication. This vulnerability enables unauthorized access to Synology DiskStation Manager devices. Successful exploitation allows attackers to gain administrative access to the device and the data it stores. Given the widespread use of Synology NAS devices for both personal and business data storage, this vulnerability poses a significant risk.

Attack Chain

1. Attacker identifies a vulnerable Synology DSM instance running a version prior to 7.2.2-72806-5 or 7.3.1-86003-1.
2. Attacker obtains the distinguished name (DN) of a valid user account. This could be achieved through reconnaissance or data breaches.
3. Attacker crafts a malicious authentication request to the SSO service, leveraging the improper checks for unusual or exceptional conditions.
4. The crafted request utilizes the known DN to bypass the authentication process.
5. The SSO service incorrectly validates the malicious authentication request.
6. The attacker gains unauthorized access to the DSM instance with the privileges associated with the user whose DN was used.
7. The attacker can now access and modify files, settings, and configurations within the DSM.
8. The attacker can install malware, exfiltrate sensitive data, or disrupt services.

Impact

Successful exploitation of CVE-2025-13392 allows remote attackers to bypass authentication on Synology DiskStation Manager (DSM) devices. This can lead to complete compromise of the device and the data stored on it, including sensitive personal and business information. The impact can range from data theft and ransomware attacks to disruption of critical services provided by the NAS. Given the high CVSS score of 8.1, this vulnerability is considered a critical threat.

Recommendation

• Upgrade Synology DiskStation Manager (DSM) to versions 7.2.2-72806-5 or 7.3.1-86003-1, or later to patch CVE-2025-13392.
• Monitor network traffic for suspicious authentication attempts to the Synology DSM SSO service. Deploy the Sigma rules provided to detect anomalous SSO authentication patterns.
• Implement strong password policies and multi-factor authentication to mitigate the impact of potential credential compromise, although this vulnerability bypasses authentication entirely with a known DN.

]]>highadvisoryauthentication-bypasscve-2025-13392synologyhttps://feed.craftedsignal.io/briefs/2026-05-synology-beedrive-dll-hijacking/Wed, 27 May 2026 09:17:32 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-synology-beedrive-dll-hijacking/Synology BeeDrive for desktop before 1.3.2-13814 is vulnerable to an uncontrolled search path element, allowing local users to execute arbitrary code through a maliciously placed OpenSSL DLL component.Synology BeeDrive for desktop is susceptible to an uncontrolled search path element vulnerability in its OpenSSL DLL component. This flaw, identified as CVE-2023-52945, allows a local attacker to execute arbitrary code on the system. The vulnerability exists in versions prior to 1.3.2-13814. An attacker can exploit this by placing a malicious OpenSSL DLL in a directory that BeeDrive searches before the legitimate system directory. Due to the BeeDrive application loading the DLL, the attacker’s code will be executed within the context of the BeeDrive process, potentially granting them elevated privileges or access to sensitive data. This vulnerability poses a significant risk to systems where BeeDrive is installed, as it can be exploited to compromise the system’s integrity and confidentiality.

Attack Chain

1. The attacker identifies that Synology BeeDrive loads an OpenSSL DLL component.
2. The attacker determines the DLL search order used by BeeDrive, likely by observing process monitor logs.
3. The attacker creates a malicious OpenSSL DLL that contains arbitrary code to be executed.
4. The attacker places the malicious DLL in a directory that BeeDrive searches before the legitimate OpenSSL DLL location (e.g., the application directory, a user-controlled directory in the system’s PATH).
5. The attacker launches Synology BeeDrive.
6. BeeDrive loads the malicious OpenSSL DLL from the attacker-controlled directory instead of the legitimate one.
7. The attacker’s arbitrary code within the malicious DLL is executed within the context of the BeeDrive process.
8. The attacker gains control of the BeeDrive process and can perform actions such as escalating privileges, stealing credentials, or installing malware.

Impact

Successful exploitation of CVE-2023-52945 allows a local user to execute arbitrary code with the privileges of the BeeDrive application. This could lead to complete system compromise, including data theft, installation of malware, or denial of service. Since the vulnerability can be exploited by any local user, it increases the attack surface for privilege escalation. The impact is high due to the potential for arbitrary code execution and the ease of exploitation.

Recommendation

• Upgrade Synology BeeDrive for desktop to version 1.3.2-13814 or later to patch CVE-2023-52945.
• Implement file integrity monitoring for BeeDrive’s installation directory to detect unauthorized DLL modifications.
• Deploy the Sigma rule Detect BeeDrive Suspicious DLL Loading to identify potentially malicious DLLs loaded by BeeDrive.
• Enforce strict access control policies to limit user access to sensitive directories and files, mitigating the impact of local privilege escalation.

]]>highadvisorydll-hijackingprivilege-escalationcve-2023-52945https://feed.craftedsignal.io/briefs/2026-05-cve-2025-12686-beestation-overflow/Wed, 27 May 2026 09:17:16 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2025-12686-beestation-overflow/A buffer overflow vulnerability exists in the AdminCenter component of Synology BeeStation Manager (BSM) and BeeStation OS before version 1.3.2-65648, allowing remote attackers to execute arbitrary code through unspecified vectors (CVE-2025-12686).CVE-2025-12686 describes a critical buffer overflow vulnerability affecting the AdminCenter component within Synology BeeStation Manager (BSM) and BeeStation OS. This vulnerability, present in versions prior to 1.3.2-65648, allows remote attackers to execute arbitrary code on the affected system. Due to insufficient input validation during buffer copying operations, an attacker can potentially overwrite memory regions, leading to arbitrary code execution. This vulnerability poses a significant risk to BeeStation devices, potentially allowing attackers to gain complete control of the device and any data stored on it.

Attack Chain

1. The attacker identifies a vulnerable BeeStation device running a version of BeeStation Manager (BSM) or BeeStation OS prior to 1.3.2-65648.
2. The attacker crafts a malicious input designed to exploit the buffer overflow within the AdminCenter component. The specific attack vector is unspecified, but involves sending data to AdminCenter.
3. The attacker sends the crafted input to the vulnerable AdminCenter component.
4. The AdminCenter component processes the input without properly validating its size.
5. The input overflows the allocated buffer during a copy operation, overwriting adjacent memory regions.
6. The attacker overwrites critical memory locations, such as function return addresses or code pointers, with attacker-controlled values.
7. When the function attempts to return or execute the overwritten code pointer, control is transferred to the attacker’s code.
8. The attacker executes arbitrary code on the BeeStation device, potentially gaining full system control.

Impact

Successful exploitation of CVE-2025-12686 allows a remote attacker to execute arbitrary code on a vulnerable Synology BeeStation device. This can lead to complete system compromise, including unauthorized access to sensitive data, modification of system settings, and the potential use of the device as a foothold for further attacks within the network. Given the high CVSS score of 9.8, the impact of this vulnerability is considered critical.

Recommendation

• Upgrade Synology BeeStation Manager (BSM) and BeeStation OS to version 1.3.2-65648 or later to patch CVE-2025-12686.
• Monitor network traffic for suspicious activity targeting BeeStation devices, such as unusually large requests to AdminCenter, to potentially detect exploitation attempts.
• Deploy the following Sigma rules to detect potential exploitation attempts (see below).
• Review Synology’s security advisory Synology_SA_25_12 for further mitigation guidance.

]]>criticaladvisorycve-2025-12686buffer-overflowremote-code-executionsynology