Cyber Resilience

CVE-2025-30028

High

Published: 27 May 2026

Published
27 May 2026
Modified
02 June 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0037 28.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-30028 is a high-severity SQL Injection (CWE-89) vulnerability in Synology Active Backup For Business. Its CVSS base score is 8.6 (High).

Operationally, ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability in Active Backup for Business allows unauthorized remote attackers to read arbitrary files.

CWE(s)

Related Threats

CVEs Like This One

CVE-2024-10444Same product: Synology Diskstation Manager
CVE-2024-50631Same product class: NAS / storage appliance
CVE-2025-13392Same product: Synology Diskstation Manager
CVE-2024-10441Same product: Synology Diskstation Manager
CVE-2024-45538Same product: Synology Diskstation Manager
CVE-2025-14713Same product: Synology Diskstation Manager
CVE-2022-49042Same product class: NAS / storage appliance
CVE-2026-3091Same product class: NAS / storage appliance
CVE-2023-52945Same product class: NAS / storage appliance
CVE-2022-49036Same product class: NAS / storage appliance

Affected Assets

synology
active backup for business
2.7.1-13234, 2.7.1-23234, 2.7.1-3234

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References