CVE-2022-49036 Overview
CVE-2022-49036 is a local code execution vulnerability in Synology Active Backup for Business Recovery Media Creator. The flaw stems from an inclusion of functionality from an untrusted control sphere [CWE-829] in the application's OpenSSL configuration handling. Local users can leverage the issue to execute arbitrary code through unspecified vectors. The vulnerability affects Synology Active Backup for Business Recovery Media Creator versions before 2.5.0-2081. Synology has released a fixed version through its standard release channel.
Critical Impact
Local authenticated users can execute arbitrary code with the privileges of the Recovery Media Creator process, leading to full compromise of confidentiality, integrity, and availability on the affected host.
Affected Products
- Synology Active Backup for Business Recovery Media Creator versions prior to 2.5.0-2081
Discovery Timeline
- 2026-06-03 - CVE-2022-49036 published to the National Vulnerability Database (NVD)
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2022-49036
Vulnerability Analysis
The vulnerability resides in how the Recovery Media Creator loads its OpenSSL configuration. The application includes functionality from an untrusted control sphere, meaning it loads resources or configuration data from a location a local user can influence. An attacker with local access can plant a crafted OpenSSL configuration or supporting module that is executed in the context of the Recovery Media Creator. Successful exploitation results in arbitrary code execution on the local system.
Because the attack requires local access and low privileges, it is well-suited to post-compromise privilege abuse scenarios. The impact spans confidentiality, integrity, and availability of the affected host.
Root Cause
The root cause is mapped to [CWE-829]: Inclusion of Functionality from Untrusted Control Sphere. The Recovery Media Creator references an OpenSSL configuration source that is writable or controllable by a local user. OpenSSL's configuration syntax supports directives that load engines and dynamic modules. When the application invokes OpenSSL, it parses the attacker-influenced configuration and loads attacker-controlled functionality into its process.
Attack Vector
The attack vector is local. A local user with limited privileges places a malicious OpenSSL configuration file or supporting library in a location consulted by the Recovery Media Creator. When the application starts and initializes OpenSSL, it parses the configuration and executes the attacker's code. No user interaction beyond launching the affected utility is required. Refer to the Synology Release Notes for the vendor's description of the fixed behavior.
Detection Methods for CVE-2022-49036
Indicators of Compromise
- Presence of an unexpected openssl.cnf file or OpenSSL configuration in directories searched by the Recovery Media Creator process.
- Unexpected dynamic libraries or OpenSSL engine modules written to user-writable paths near the application binary.
- Child processes spawned by the Recovery Media Creator that do not match expected backup or media-creation workflows.
Detection Strategies
- Monitor process creation events where the Recovery Media Creator launches unexpected child processes such as shells, scripting interpreters, or network utilities.
- Audit file writes to directories used by Recovery Media Creator for OpenSSL configuration or engine module placement.
- Compare installed Recovery Media Creator versions against the fixed release 2.5.0-2081 across managed endpoints.
Monitoring Recommendations
- Enable command-line and module-load telemetry on Windows endpoints running Synology backup tooling.
- Alert on writes to OpenSSL configuration paths originating from non-administrative accounts.
- Track installations and upgrades of Synology Active Backup for Business Recovery Media Creator through software inventory tooling.
How to Mitigate CVE-2022-49036
Immediate Actions Required
- Upgrade Synology Active Backup for Business Recovery Media Creator to version 2.5.0-2081 or later on every endpoint where it is installed.
- Restrict local interactive access on systems hosting the Recovery Media Creator to trusted administrators.
- Audit directories consulted by the Recovery Media Creator for attacker-writable OpenSSL configuration files or modules.
Patch Information
Synology has addressed the vulnerability in Active Backup for Business Recovery Media Creator 2.5.0-2081. Download the fixed release from the Synology Release Notes page and deploy across all affected workstations.
Workarounds
- Remove the Recovery Media Creator from systems where it is not actively used until the patched version can be deployed.
- Enforce least privilege so that non-administrative users cannot write to directories searched by the Recovery Media Creator.
- Use application allowlisting to block execution of unauthorized OpenSSL engine modules loaded by the application.
# Verify installed Recovery Media Creator version on Windows
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" |
Where-Object { $_.DisplayName -like "*Active Backup for Business Recovery Media Creator*" } |
Select-Object DisplayName, DisplayVersion
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
