Vulnerability in Synology Active Backup for Microsoft 365 exposes credentials, enables unauthorized access to Teams chats
Take action: If you use Synology's Active Backup for Microsoft 365, be aware that a critical flaw exposed your Microsoft 365 data to potential unauthorized access until recently. Even though Synology says they've fixed it, check your Microsoft 365 audit logs for any suspicious access and ensure your Synology system is fully updated. If developing applications, check if any of your responses contains secrets that shouldn't be there.
Learn More
Security researchers are reporting a flaw in Synology's Active Backup for Microsoft 365 (ABM) that exposed a master credential, allowing unauthorized access to sensitive Microsoft 365 data across all organizations using the backup solution. This vulnerability could have enabled attackers to compromise installations without requiring any prior access to target environments.
The vulnerability is tracked CVE-2025-4679 (CVSS score 6.5) and was discovered by modzero researchers during a red-team engagement. It affects Synology's Active Backup for Microsoft 365, a popular backup add-on for the company's DiskStation Manager (DSM) operating system. ABM is designed to provide automated backups for Microsoft services including OneDrive, SharePoint, Exchange Online, and Microsoft Teams, and has been installed over 1.2 million times across organizations transitioning to cloud-based workloads.
The flaw resided in Synology's OAuth middleware service (synooauth.synology.com) used during the ABM setup process. When users configured the backup solution to connect with their Microsoft tenant, the middleware inadvertently exposed a static client_secret credential within an HTTP 302 redirect response. This credential belonged to Synology's global ABM application registration in their Microsoft tenant and possessed broad tenant-wide permissions to access organizational data.
ABM is configured as a multi-tenant application with extensive permissions, including the ability to read all groups and their properties, access all Microsoft Teams channel messages (both public and private), view Outlook conversations, calendar events, and other Microsoft 365 content.
The leaked credential effectively functioned as a master key that could grant attackers the same privileged access across any organization that had installed and authorized ABM.
Here's an example of the response with the secret:
HTTP/2 302 Found
Location: [...]/activebackupoffice365-cgi.cgi?action=oauth
&graph_refresh_token=1.Aa4ABLPUicJgkEm4oYYv[...]
&resource=https%3A%2F%2Fgraph.microsoft.com
&client_id=b4f234da-3a1a-4f4d-a058-23ed08928904
&client_secret=ARI8Q%7EsHOuwMoX.[...]The attack required no authentication or prior foothold in target environments. Malicious actors needed only to observe the leaked credential once from Synology's middleware service during any ABM setup to gain unauthorized access to all Microsoft tenants that had authorized the application.
Testing confirmed that this credential was valid and could be used to obtain Microsoft Graph API access tokens for any organization's tenant where ABM had been authorized, bypassing conditional access protocols, multi-factor authentication, and network segmentation controls.
While modzero proposed a CVSS score of 8.6 (High severity), Synology assessed it at 6.5 (Moderate severity), citing differences in the "privileges required" and "scope" metrics.
Synology states that no customer action was required to resolve the vulnerability, as they implemented fixes to their middleware service. It's not clear whether anyone has abused this key and gained access.
