CVE-2024-47273: Synology Hyper Backup Path Traversal Vulnerability (4.3 MEDIUM)
Synology Hyper Backup versions before 4.1.2-4036 contain a path traversal vulnerability in the Backup Task feature that allows an authenticated user to write files outside their intended directory. An attacker with valid credentials could exploit this to place files in restricted locations on the system, potentially compromising system integrity or enabling lateral movement.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-22
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Backup Task functionality in Synology Hyper Backup before 4.1.2-4036 allows remote authenticated users to write specific files via unspecified vectors.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2024-47273 is a CWE-22 path traversal vulnerability affecting Synology Hyper Backup. The flaw exists in the Backup Task functionality and permits authenticated remote users to bypass directory restrictions and write files to arbitrary locations via unspecified vectors. The vulnerability requires valid authentication credentials and network access but does not require user interaction. The attack surface is limited to authenticated sessions, which reduces immediate exposure but increases risk in environments where account compromise is plausible.
Business impact
This vulnerability poses a moderate risk to organizations relying on Synology Hyper Backup for data protection workflows. A compromised administrative or service account could be leveraged to write malicious files, modify system configuration files, or inject code into application directories. For environments where backup infrastructure is trusted with sensitive data or system access, this creates potential for data exfiltration, system instability, or privilege escalation chains. The impact is heightened if backup credentials are shared, reused across systems, or stored insecurely.
Affected systems
Synology Hyper Backup versions prior to 4.1.2-4036 are affected. Organizations should verify their current deployment version against Synology's advisory to confirm exposure. The vulnerability affects the backup task feature, which is typically deployed in data center, SMB, or distributed backup scenarios. Virtual machine environments, NAS systems, and cloud backup orchestration platforms running vulnerable versions require immediate attention.
Exploitability
Exploitation requires valid authentication credentials and network connectivity to the Hyper Backup service. An attacker cannot exploit this remotely without legitimate account access. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U) reflects low attack complexity once authentication is obtained. The integrity impact is limited (I:L), meaning successful exploitation compromises file integrity in restricted directories but does not enable confidentiality breaches or system availability attacks. The lack of widespread public exploit code and the need for valid credentials keep exploitability moderate in practice.
Remediation
Update Synology Hyper Backup to version 4.1.2-4036 or later. Verify this version number against Synology's official advisory and release notes before deployment. Apply updates during a maintenance window to avoid disruption to backup operations. After patching, audit backup task configurations and review access logs for any suspicious file write operations during the window of exposure.
Patch guidance
Synology provides patches through its standard update mechanism. Navigate to the Hyper Backup management interface, check for available updates, and apply version 4.1.2-4036 or later. For organizations with automatic update policies, verify that the deployment completed successfully and validate system functionality post-patch. Test backup task operations in a non-production environment before full rollout if possible. Confirm the patch version matches the advisory guidance to avoid incomplete remediation.
Detection guidance
Monitor Synology Hyper Backup audit logs for backup task operations by authenticated users, particularly file write operations outside expected backup destinations. Look for anomalous path construction patterns in task configurations or execution logs that reference system directories or configuration paths. Enable verbose logging on backup tasks if available. Review system file integrity logs for unexpected file modifications in restricted directories during the exposure window. Network-level detection should focus on suspicious outbound connections initiated by the Hyper Backup service following suspicious task execution.
Why prioritize this
This vulnerability rates MEDIUM severity and should not displace critical or high-risk patch campaigns, but it merits near-term remediation because (1) it affects a trusted system component with broad data access, (2) authenticated compromise scenarios are plausible in enterprise environments, and (3) exploitation could facilitate follow-on attacks. Organizations with strong access controls and limited backup credential distribution should prioritize this below critical CVEs but above low-severity issues. Those with shared or weak credential management should elevate priority.
Risk score, explained
The CVSS 3.1 score of 4.3 (MEDIUM) reflects the requirement for prior authentication (PR:L) and limited integrity impact (I:L). The lack of confidentiality or availability impact caps the score despite network accessibility and low attack complexity. This scoring appropriately represents the real-world risk: a meaningful but contained threat that requires credential compromise as a prerequisite. Organizations should not underweight this based on the score alone; context around credential hygiene and backup system exposure is critical.
Frequently asked questions
Do I need valid Hyper Backup credentials to exploit this vulnerability?
Yes. CVE-2024-47273 requires prior authentication. An attacker cannot exploit it through an anonymous or unauthenticated network request. This means your patch priority may depend on how tightly you control Hyper Backup access and how robustly you manage backup service accounts.
What files can an attacker write if they exploit this?
The vulnerability allows writing to locations outside the intended backup destination directory. The specific impact depends on the system's file permissions and which directories an authenticated Hyper Backup user can reach. An attacker might write configuration files, scripts, or other data that could enable further system compromise, but exploit potential varies by deployment architecture.
Is this vulnerability on the KEV catalog?
No. CVE-2024-47273 is not listed on CISA's Known Exploited Vulnerabilities catalog. There is no evidence of active in-the-wild exploitation as of the advisory date. This does not mean it is safe to delay patching—KEV status reflects only observed exploitation, not vulnerability severity or risk.
Should I deprioritize this if my Hyper Backup instances are on internal networks only?
Network isolation reduces exposure, but you should not deprioritize based on location alone. If internal users or systems can obtain backup credentials through phishing, credential reuse, or lateral movement, an insider or compromised account could still exploit this. Treat internal systems with secrets as patching priorities.
This analysis is based on the publicly disclosed vulnerability description and does not constitute a complete security assessment. Patch version numbers and affected product details should be verified against the official Synology security advisory before deployment. Organizations should assess their specific deployment architecture, credential management practices, and exposure context to determine true risk. This information is provided for situational awareness and does not guarantee protection against all attack scenarios or variants. No exploit code or weaponized proof-of-concept is provided or endorsed by this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2024-47263MEDIUMSynology Hyper Backup Path Traversal – Admin Privilege Required
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2019-25734MEDIUMContact Form by WD CSRF & Local File Inclusion Vulnerability
- CVE-2019-25740MEDIUMJoomla com_jsjobs Arbitrary File Deletion Vulnerability
- CVE-2026-0055MEDIUMAndroid Path Traversal in PackageInstallerService Enables Local Privilege Escalation to Device Policy Controller
- CVE-2026-10213MEDIUMAstrBot 4.23.6 Path Traversal in API Endpoint
- CVE-2026-10278MEDIUMPath Traversal in ishayoyo excel-mcp – Exploitation, Detection, and Remediation