We discovered a leaked credential that allowed anyone unauthorized access to all Microsoft tenants of organizations that use Synology’s “Active Backup for Microsoft 365” (ABM). This flaw could be leveraged by malicious actors to obtain potentially sensitive information — such as all messages in Microsoft Teams channels. It was reported to Synology and tracked as CVE-2025-4679.

This blog post contains the full technical walk-through and discovery of the vulnerability, its impact, and our experience during the responsible disclosure process with Synology.

The standalone disclosure report is available on our advisory page and potential Indicators of Compromise (IoC) are provided in a dedicated section further below.

Background
During a red-team engagement against a customer’s Microsoft Entra tenant and Azure infrastructure we came across an application named “Synology Active Backup for M365”.

The application had broad permissions — such as read access to all groups and Microsoft Teams channel messages — making it an ideal target to obtain information that may be useful for further attacks (i.e. credential abuse or social engineering).

To analyze it, we created our own lab environment consisting of a Microsoft sandbox tenant and the ABM add-on installed within Synology’s DiskStation Manager (DSM) operating system. For research purposes it is not necessary to have a Synology NAS appliance, as the entire OS can be virtualized via Docker. We also built some tools along the way, which can be helpful to reverse engineer DSM add-on packages. We will share them for other security researchers on our GitHub soon.