PT-2025-21627 · Synology · Synology Active Backup For Microsoft 365
Leonid Hartmann
+1
·
Published
2025-05-16
·
Updated
2025-08-04
·
CVE-2025-4679
CVSS v2.0
6.8
Medium
| Vector | AV:N/AC:L/Au:S/C:C/I:N/A:N |
Name of the Vulnerable Software and Affected Versions:
Synology Active Backup for Microsoft 365 (affected versions not specified)
Description:
A vulnerability in Synology Active Backup for Microsoft 365 allows remote authenticated attackers to obtain sensitive information via unspecified vectors. This issue could allow malicious actors to access sensitive data in Microsoft 365 tenants that have authorized the Active Backup for Microsoft 365 enterprise app. The exact period for which this flaw existed is unknown, but it was fixed by Synology after disclosure. Inspecting the setup process of any Synology Active Backup for Microsoft 365 install could give an attacker the master key to all M365 tenants that had authorized the app.
Recommendations:
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Synology Active Backup For Microsoft 365