Synology ABM Vulnerability Leaks Microsoft 365 Sensitive Information

A critical vulnerability in Synology’s Active Backup for Microsoft 365 (ABM) has exposed sensitive data from Microsoft 365 tenants worldwide, potentially impacting over a million organizations relying on the popular backup solution.

The flaw, tracked as CVE-2025-4679, allowed attackers to access confidential Microsoft 365 content—including Teams messages, group memberships, Outlook conversations, and calendar data—without requiring prior access to the target environment.

How the Vulnerability Worked

Security researchers at modzero discovered the issue during a red-team exercise. The root cause was traced to Synology’s ABM setup process, which leaked a static client_secret—a master credential for Synology’s global Microsoft app registration—via a redirect URL handled by Synology’s middleware service (synooauth.synology.com).

This credential, embedded in a browser redirect, could be intercepted by anyone observing network traffic during the backup setup.

“A single review of the installation process for any Synology Active Backup for Microsoft 365 setup can reveal the master key, granting access to all M365 tenants that have authorized the Active Backup enterprise application,” researchers warned.

With the leaked client_id and client_secret, an attacker could request Microsoft Graph API access tokens for any tenant where ABM was installed, gaining read-only access to vast amounts of organizational data—without authenticating to Synology or Microsoft.

Potential Impact

• Scope: Any organization that installed ABM and granted it permissions was at risk.
• Data Exposure: Attackers could read all Microsoft Teams channel messages, group properties, Outlook content, and calendars.
• Attack Scenarios: The vulnerability enabled espionage, reconnaissance for ransomware, or mass data theft for underground sale—at a global scal.
• No Prior Access Needed: Exploitation required only the leaked secret, not a foothold in the target’s environment.

Modzero reported the vulnerability to Synology on April 4, 2025. Synology acknowledged the issue and assigned it CVE-2025-4679, but assessed the severity as “moderate” (CVSS 6.5), a significant downgrade from the researchers’ “high” (CVSS 8.6) estimate. 

Synology’s public advisory described the flaw only as allowing “remote authenticated attackers to obtain sensitive information via unspecified vectors,” omitting technical details and not alerting customers to the full risk.

No customer action was required to resolve the issue, as Synology fixed the middleware component. However, security experts criticized the lack of transparency and failure to provide indicators of compromise (IoCs) or direct notifications to affected organizations.

This incident highlights the dangers of supply-chain vulnerabilities in cloud services and the risks of broad, tenant-wide permissions.

The flaw demonstrates how a single leaked credential can undermine the security of thousands of organizations, and underscores the need for greater transparency and proactive notification from cloud vendors.

As organizations continue to migrate to cloud-based solutions, experts urge IT leaders to implement robust monitoring, logging, and incident response measures—and to scrutinize the security practices of third-party vendors entrusted with sensitive data.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates