A single leaked client secret embedded in Synology’s “Active Backup for Microsoft 365” (ABM) has given would-be attackers unfettered read-only access to every Microsoft 365 tenant that deployed the add-on, exposing group and Microsoft Teams content across more than 1.2 million installations.
During a red-team engagement, researchers intercepted the OAuth hand-off that occurs when administrators first connect ABM to their Microsoft 365 environment.
After installing ABM, the user is guided through a setup wizard, which is designed to link the NAS instance to their respective Microsoft tenant.
The Synology middleware service synooauth.synology.com returned a HTTP 302 redirect containing several query-string parameters—among them a hard-coded client_secret tied to the global ABM app registration in Synology’s own Microsoft tenant.
By replaying a standard client-credential grant against any target tenant’s token endpoint, researchers were able to obtain a Microsoft Graph access token that carried application-level scopes Group.Read.All and ChannelMessage.Read.All.
No prior foothold, phishing, or tenant-specific credential was required; possession of the secret alone demolished tenant boundaries and Microsoft’s multi-tenant trust model.
Because the leaked secret belonged to Synology’s publisher app rather than the customer’s local service principal, revoking ABM inside an individual tenant would not have neutralised the risk.
Any adversary who captured the secret before Synology rotated it could continue to mint valid tokens indefinitely until expiry or manual revocation on the Synology side.
Synology ABM Vulnerability
With the two high-privilege Graph scopes, an attacker could silently enumerate every Microsoft 365 group, scrape SharePoint sites and Outlook conversations linked to those groups, and exfiltrate full message histories—including attachments and adaptive cards—from all public and private Microsoft Teams channels.
The data exposure spans intellectual-property repositories, HR discussions, legal correspondence, and merger negotiations, presenting prime material for espionage, extortion, or pre-ransomware reconnaissance.
The vulnerability (CVE-2025-4679) is especially serious because ABM markets itself as a data-protection tool: organisations enable it precisely to preserve business-critical content.
By piggybacking on that trusted backup workflow, an attacker can harvest a superset of the very information defenders believe they have safeguarded.
Unlike endpoint compromises, there are often limited monitoring hooks in Microsoft Teams or SharePoint to flag bulk reads, making detection difficult.
Synology’s middleware inadvertently acted as a distribution point for the secret, leaking it to anyone analysing network traffic during ABM onboarding.
Disclosure and Severity
Researchers notified Synology on 4 April 2025 and requested a CVSS 8.6/High rating, arguing that no privileges were required and that exploitation crossed tenant boundaries (Scope = Changed).
Synology instead published an advisory with a CVSS 6.5/Moderate score, classifying the issue as “remote authenticated” and omitting specifics on which data types were exposed.
The vendor’s initial bounty offer of roughly $417—declined by the researchers—further underscored the gulf in risk perception.
Compounding concerns, Synology’s advisory stated that “customer action is not required” and provided no Indicators of Compromise (IoCs).
As a result, affected organisations may remain unaware that historic Teams conversations and group files could already reside in adversary archives.
Microsoft has recently urged cloud vendors to practise transparent vulnerability disclosure even for managed SaaS offerings; this episode illustrates the ongoing tension between corporate liability worries and the security community’s push for full context.
For security teams, the incident is a stark reminder that SaaS integrations often inherit broad cloud permissions that, if mismanaged by third-party providers, can bypass traditional defence-in-depth.
Administrators should audit enterprise applications for unused high-privilege scopes, enforce conditional access where possible, and demand clear post-mortems from vendors whenever credentials—or cloud keys—go missing.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
