HIGH 7.8

CVE-2022-49036: Synology Active Backup for Business Recovery Media Creator Arbitrary Code Execution

Synology Active Backup for Business Recovery Media Creator versions prior to 2.5.0-2081 contain a flaw where untrusted OpenSSL configuration can be loaded during operation. A local user with standard privileges can exploit this to execute arbitrary code on the system. The vulnerability stems from the application trusting configuration from a location or source that should not be trusted, creating a path for privilege escalation or lateral movement within an affected environment.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-829
Affected products
1 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

An inclusion of functionality from untrusted control sphere vulnerability in OpenSSL configuration in Synology Active Backup for Business Recovery Media Creator before 2.5.0-2081 allows local users to execute arbitrary code via unspecified vectors.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2022-49036 is an inclusion of functionality from untrusted control sphere vulnerability (CWE-829) affecting Synology Active Backup for Business Recovery Media Creator. The flaw involves improper handling of OpenSSL configuration loading, where the application may source configuration from an untrusted location without proper validation. An attacker with local access and low privileges can manipulate this configuration to achieve arbitrary code execution with the privileges of the application process. The CVSS 3.1 score of 7.8 (HIGH) reflects the local attack vector, low attack complexity, and full impact on confidentiality, integrity, and availability.

Business impact

Recovery and backup infrastructure is critical to business continuity. Compromise of the Recovery Media Creator could allow an attacker to inject malicious code into backup recovery media, potentially affecting the integrity of future recovery operations across the organization. Additionally, local code execution on the machine running this tool could provide a foothold for lateral movement to backup repositories or administrative infrastructure. Organizations relying on Synology backup solutions face elevated risk during recovery operations if this vulnerability remains unpatched.

Affected systems

The vulnerability affects Synology Active Backup for Business Recovery Media Creator versions before 2.5.0-2081. Any deployment using earlier versions is in scope. The Recovery Media Creator is typically used to prepare bootable media for disaster recovery scenarios, often deployed on administrative or backup-management workstations where it may have elevated trust within the IT environment.

Exploitability

This vulnerability requires local access to the affected system and authentication as a local user (not requiring root or administrator privileges). Attack complexity is low, meaning once an attacker has local user access, exploitation is straightforward. However, the attack surface is limited by the need for local presence; remote exploitation is not possible. Organizations should assess the number of users with local access to systems running the Recovery Media Creator and the sensitivity of those systems in their infrastructure.

Remediation

Upgrade Synology Active Backup for Business Recovery Media Creator to version 2.5.0-2081 or later. Organizations should verify the exact version currently deployed and prioritize patching systems in environments where multiple users have local access. Given that this tool is typically used intermittently for recovery operations, patching can be planned around operational windows with lower disruption risk compared to production systems.

Patch guidance

Consult the official Synology security advisory and release notes for version 2.5.0-2081 to confirm patch availability and any prerequisites for upgrade. Test the patched version in a non-production environment before deployment to recovery infrastructure to ensure compatibility with existing backup procedures and media creation workflows. Document the patch date and version for compliance and change-management records.

Detection guidance

Monitor for suspicious process activity on systems running the Recovery Media Creator, particularly child processes spawned by OpenSSL or the application itself. Review file access and modification events around OpenSSL configuration directories (/etc/ssl, /etc/ssl/openssl.cnf, or application-specific config paths) to detect unauthorized changes. Inspect logs for unexpected configuration loading errors or warnings. Consider implementing application whitelisting or AppArmor/SELinux policies to restrict which configurations the Recovery Media Creator may load.

Why prioritize this

Although this vulnerability requires local access and is not remotely exploitable, the HIGH severity rating and focus on backup infrastructure warrant prompt remediation. Backup systems are frequently targeted by attackers seeking to disrupt recovery capabilities. The low complexity of exploitation once access is gained, combined with the broad impact on confidentiality, integrity, and availability, justifies prioritizing this alongside higher-CVSS remote vulnerabilities in the queue. Organizations with shared administrative workstations or lab environments should patch first.

Risk score, explained

The CVSS 3.1 score of 7.8 reflects a local-only attack vector (AV:L), low attack complexity (AC:L), and the requirement for low privileges (PR:L), combined with high impact across all three security properties (C:H/I:H/A:H). The score appropriately captures that while remote exploitation is not possible, any user with local access can achieve full system compromise. This is significant for backup infrastructure that may be managed by multiple administrators or accessed from shared consoles.

Frequently asked questions

Does this vulnerability affect our production backup data or only the Recovery Media Creator?

The vulnerability affects the Recovery Media Creator tool itself. However, because this tool is used to create recovery media from backup data, compromise could allow an attacker to inject malicious code into the media, potentially affecting integrity of future recovery operations. Production backup data is not directly compromised unless an attacker uses the Recovery Media Creator to access and modify backup storage targets.

Can this vulnerability be exploited remotely?

No. The vulnerability requires local user access to the system running the Recovery Media Creator. Remote exploitation is not possible. However, if an attacker first gains remote access to the administrative workstation running this tool through another vulnerability or social engineering, they could then exploit CVE-2022-49036 to escalate or maintain access.

Is this vulnerability being exploited in the wild?

This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no widespread exploitation has been documented as of the information available. However, the absence of known active exploitation does not eliminate risk, particularly if threat actors discover the vulnerability independently or target backup infrastructure specifically.

What should we do if we cannot patch immediately?

Restrict local access to systems running the Recovery Media Creator to only authorized administrators. Remove the tool from shared workstations where possible. Implement file integrity monitoring on OpenSSL configuration files to detect unauthorized changes. Review and audit local users on affected systems, disabling unnecessary accounts. Schedule patching as soon as operationally feasible, treating it as a high-priority maintenance task.

This analysis is based on publicly available vulnerability data and the vendor advisory. Patch versions, timelines, and availability should be verified directly with Synology's official security advisory. Organizations should conduct their own risk assessment based on their specific deployment configuration, access controls, and operational environment. This vulnerability intelligence is provided for informational purposes to aid in security decision-making and is not a substitute for professional cybersecurity assessment or guidance from your organization's security team. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).