A significant security vulnerability has been identified in Synology's Active Backup for Microsoft 365 (ABM), potentially exposing sensitive data across all Microsoft 365 tenants utilizing this backup solution. This flaw, designated as CVE-2025-4679, was discovered by the security firm ModZero during a routine red-team assessment.
Understanding the Vulnerability
The core of this vulnerability lies in the mishandling of OAuth credentials during the ABM setup process. Specifically, Synology's OAuth middleware (
synooauth.synology.com) inadvertently exposed a static client_secret within an HTTP 302 redirect response. This client_secret was associated with Synology's global application registration, not specific to individual tenants. Consequently, an attacker could use this credential to obtain access tokens via the Microsoft Graph API, granting them read-only access to:- All Microsoft Teams channel messages, both public and private.
- Organizational group memberships and related content.
- Embedded media and cards within Teams conversations.
Potential Impact
With over 1.2 million ABM installations reported, the implications of this vulnerability are vast. Attackers could leverage the exposed credential to:
- Conduct Espionage: Access to internal communications could facilitate corporate espionage, allowing attackers to gather sensitive information about business operations, strategies, and confidential discussions.
- Prepare for Ransomware Attacks: By analyzing internal communications and organizational structures, attackers could plan and execute targeted ransomware attacks, maximizing their impact and potential ransom payouts.
- Sell Data on Underground Markets: Sensitive information extracted from communications could be sold to competitors or other malicious entities, leading to financial and reputational damage.
Disclosure and Response
ModZero reported the vulnerability to Synology on April 4, 2025. While Synology acknowledged the issue and assigned it CVE-2025-4679, there was a notable discrepancy in the assessment of its severity. ModZero proposed a CVSS score of 8.6, indicating a high severity level, whereas Synology rated it at 6.5, categorizing it as moderate. Synology's public advisory provided limited details, stating:
This lack of detailed information and absence of specific guidance for customers has raised concerns within the cybersecurity community. ModZero emphasized the need for transparency and proactive communication to ensure that organizations can adequately protect themselves."A vulnerability in Synology Active Backup for Microsoft 365 allows remote authenticated attackers to obtain sensitive information via unspecified vectors."
Recommendations for Organizations
Organizations utilizing Synology's Active Backup for Microsoft 365 should take the following steps to mitigate potential risks:
- Audit Sign-In Logs: Review logs for any unauthorized access attempts, particularly those involving the client ID
b4f234da-3a1a-4f4d-a058-23ed08928904. - Monitor Graph API Requests: Implement monitoring to detect unusual or unauthorized requests to the Microsoft Graph API, especially those accessing Teams data.
- Update Credentials: If possible, reconfigure OAuth credentials to ensure that each tenant uses unique, securely stored client secrets.
- Stay Informed: Regularly check for updates from Synology regarding patches or additional guidance related to this vulnerability.
This incident underscores the critical importance of secure credential management and the potential risks associated with third-party integrations in cloud environments. Organizations must remain vigilant, ensuring that all components of their IT infrastructure adhere to best security practices to prevent similar vulnerabilities.
In conclusion, while Synology has addressed the immediate issue, the cybersecurity community advocates for more detailed disclosures and proactive measures to prevent future occurrences. Organizations are urged to take immediate action to assess and mitigate any potential exposure resulting from this vulnerability.
Source: Cyber Press https://cyberpress.org/synology-abm-vulnerability/