CVE-2024-47264 in Active Backup for Business
Summary
by MITRE • 02/13/2025
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in agent-related functionality in Synology Active Backup for Business before 2.7.1-13234, 2.7.1-23234 and 2.7.1-3234 allows remote authenticated users with administrator privileges to delete arbitrary files via unspecified vectors.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/04/2026
This vulnerability represents a critical path traversal flaw that affects Synology Active Backup for Business software versions prior to specific patches. The issue resides in the agent-related functionality where improper input validation allows malicious actors to manipulate file paths and execute unauthorized deletion operations. The vulnerability specifically targets the restricted directory limitations that should normally prevent access to system files outside of designated boundaries. Attackers with administrator privileges can exploit this weakness to traverse file system paths and delete files that they should not have access to, potentially leading to system compromise and data loss.
The technical implementation of this path traversal vulnerability stems from inadequate sanitization of user-supplied input within the agent functionality. When administrators interact with the backup system, the software fails to properly validate or restrict the file paths that can be processed, allowing attackers to craft malicious requests that bypass normal access controls. This type of vulnerability is classified as CWE-22 according to the Common Weakness Enumeration framework, which specifically addresses improper limitation of a pathname to a restricted directory. The flaw enables attackers to manipulate file system operations by including directory traversal sequences in their requests, effectively breaking out of intended directories and accessing arbitrary system files.
From an operational perspective, this vulnerability poses significant risks to enterprise environments that rely on Synology Active Backup for Business for their data protection infrastructure. Remote authenticated attackers with administrator privileges can leverage this weakness to delete critical system files, backup archives, or configuration data, potentially causing system instability, data corruption, or complete service disruption. The impact extends beyond simple file deletion as attackers could target configuration files that would compromise the entire backup infrastructure, leading to cascading failures in data protection mechanisms. Organizations may experience service outages, data loss, and potential compliance violations depending on their regulatory environment and backup retention policies.
The mitigation strategy for this vulnerability requires immediate patching of affected Synology Active Backup for Business installations to versions 2.7.1-13234, 2.7.1-23234, or 2.7.1-3234. System administrators should also implement additional security measures including network segmentation, privileged access management, and monitoring of backup system activities for suspicious file deletion patterns. The vulnerability aligns with ATT&CK technique T1070.004 which covers "File Deletion" and T1566.002 which addresses "Phishing: Spearphishing Attachment", as attackers may use this weakness to target backup systems through compromised administrator credentials. Organizations should also conduct comprehensive security reviews of their backup infrastructure, implement principle of least privilege for administrator accounts, and establish robust audit trails for file system modifications to detect and respond to potential exploitation attempts.