Synology ABM Flaw (CVE-2025-4679) Leaks Global Client Secret, Exposing ALL Microsoft 365 Tenants
Ddos 
A security vulnerability in Synologyβs Active Backup for Microsoft 365 (ABM) software has exposed countless organizationsβ cloud data to unauthorized access. Tracked as CVE-2025-4679, the flaw allowed attackers to leverage leaked application credentials to infiltrate any Microsoft tenant that had ABM installedβno prior access required.
According to a detailed technical report from modzero, the vulnerability was discovered during a red-team exercise and quickly escalated into what the researchers called a βbackdoor into a lot of organizationβs Microsoft tenants.β
Synologyβs ABM software facilitates automated backups of Microsoft 365 servicesβsuch as Teams, OneDrive, and Exchangeβvia an OAuth integration with Microsoft Entra ID. The setup process involved a middleware service (synooauth.synology.com), which shockingly leaked a static client_secret in a redirect URL.
βThe response includes several parameters within the Location header, one of which is a value for client_secret,β the report explains.
This secret belonged to Synologyβs global app registration, not a tenant-specific oneβmeaning it could be used universally across all tenants where ABM was installed. The consequences were severe:
- No authentication to Synology or Microsoft was needed.
- Read-only access to Teams messages, group memberships, Outlook content, and calendars was possible using this credential.
βThis ultimately allowed broad read-only access to: all Microsoft Teams channel messages, groups, calendars, and Outlook conversations,β the report warns.
The researchers demonstrated how an attacker could use this leaked credential to request Microsoft Graph API access tokens using only the public client_id and client_secret.
βWe sent the following HTTP request to obtain an access token for the ABM service principal from our tenantβs OAuth endpointβ¦ Andβ¦ we were surprised that it worked.β
This effectively created a universal cloud access key for any ABM-enabled organization. It could be exploited for:
- Espionage in enterprise environments
- Pre-ransomware reconnaissance
- Underground data sales
And because the vulnerability required no foothold in the targetβs environment, attackers could have operated at global scale.
modzero reported the issue to Synology on April 4, 2025, and Synology did acknowledge the issue, assigning it CVE-2025-4679. However, the two parties disagreed significantly on the severity.
βSynology had determined the details of the CVE and stated that they had come up with a CVSS score of 6.5β¦ a big step down from our proposed 8.6.β
Synologyβs advisory vaguely described the issue as:
βA vulnerability in Synology Active Backup for Microsoft 365 allows remote authenticated attackers to obtain sensitive information via unspecified vectors.β
modzero noted that no customer alerts or Indicators of Compromise (IoCs) were included in Synologyβs public advisory.
While Synology provided no forensic details, modzero did:
- ABM Client ID:
b4f234da-3a1a-4f4d-a058-23ed08928904 - Suspicious IPs:
220.130.175.235and ASNAS3462 - Excessive Graph API calls outside scheduled backup windows
- Foreign service principals with app permissions from other Microsoft tenants
Related Posts:
- MailCleaner Vulnerabilities Allow Remote Code Execution
- Synology Issues Patches for Critical Camera Flaws Discovered at Pwn2Own
- Critical Flaw in Synology Camera Firmware Expose Devices to RCE and DoS Attacks
- Synology Camera Critical Vulnerabilities Patched: Upgrade Immediately
- 1Password Detects Suspicious Activity Following Okta’s Breach Announcement
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
