A security vulnerability in Synology’s Active Backup for Microsoft 365 (ABM) software has exposed countless organizations’ cloud data to unauthorized access. Tracked as CVE-2025-4679, the flaw allowed attackers to leverage leaked application credentials to infiltrate any Microsoft tenant that had ABM installed—no prior access required.
According to a detailed technical report from modzero, the vulnerability was discovered during a red-team exercise and quickly escalated into what the researchers called a “backdoor into a lot of organization’s Microsoft tenants.”
Synology’s ABM software facilitates automated backups of Microsoft 365 services—such as Teams, OneDrive, and Exchange—via an OAuth integration with Microsoft Entra ID. The setup process involved a middleware service (synooauth.synology.com), which shockingly leaked a static client_secret in a redirect URL.
“The response includes several parameters within the Location header, one of which is a value for client_secret,” the report explains.
This secret belonged to Synology’s global app registration, not a tenant-specific one—meaning it could be used universally across all tenants where ABM was installed. The consequences were severe:
- No authentication to Synology or Microsoft was needed.
- Read-only access to Teams messages, group memberships, Outlook content, and calendars was possible using this credential.
“This ultimately allowed broad read-only access to: all Microsoft Teams channel messages, groups, calendars, and Outlook conversations,” the report warns.
The researchers demonstrated how an attacker could use this leaked credential to request Microsoft Graph API access tokens using only the public client_id and client_secret.
“We sent the following HTTP request to obtain an access token for the ABM service principal from our tenant’s OAuth endpoint… And… we were surprised that it worked.”
This effectively created a universal cloud access key for any ABM-enabled organization. It could be exploited for:
- Espionage in enterprise environments
- Pre-ransomware reconnaissance
- Underground data sales
And because the vulnerability required no foothold in the target’s environment, attackers could have operated at global scale.
modzero reported the issue to Synology on April 4, 2025, and Synology did acknowledge the issue, assigning it CVE-2025-4679. However, the two parties disagreed significantly on the severity.
“Synology had determined the details of the CVE and stated that they had come up with a CVSS score of 6.5… a big step down from our proposed 8.6.”
Synology’s advisory vaguely described the issue as:
“A vulnerability in Synology Active Backup for Microsoft 365 allows remote authenticated attackers to obtain sensitive information via unspecified vectors.”
modzero noted that no customer alerts or Indicators of Compromise (IoCs) were included in Synology’s public advisory.
While Synology provided no forensic details, modzero did:
- ABM Client ID:
b4f234da-3a1a-4f4d-a058-23ed08928904 - Suspicious IPs:
220.130.175.235and ASNAS3462 - Excessive Graph API calls outside scheduled backup windows
- Foreign service principals with app permissions from other Microsoft tenants
Related Posts:
- MailCleaner Vulnerabilities Allow Remote Code Execution
- Synology Issues Patches for Critical Camera Flaws Discovered at Pwn2Own
- Critical Flaw in Synology Camera Firmware Expose Devices to RCE and DoS Attacks
- Synology Camera Critical Vulnerabilities Patched: Upgrade Immediately
- 1Password Detects Suspicious Activity Following Okta’s Breach Announcement
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.