CVE-2025-2848 MEDIUM

CVE-2025-2848

Vendor Synology

Product Synology Mail Server

Weakness CWE-862 · Missing authorization

Published December 4, 2025

Last update December 4, 2025

View on NVD All CVEs

CVSS base score

6.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

A vulnerability in Synology Mail Server allows remote authenticated attackers to read and write non-sensitive settings, and disable some non-critical functions.

Key dates

02Disclosure timeline

December 4, 2025 CVE published

December 4, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-2848 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2025-12675 KiotViet Sync <= 1.8.5 - Missing Authorization to Authenticated (Subscriber+) Settings Update CVE-2025-31781 WordPress Gift Cards for WooCommerce plugin <= 1.5.8 - Broken Access Control vulnerability CVE-2026-22466 WordPress WP MapIt plugin <= 3.0.3 - Broken Access Control vulnerability CVE-2026-28254 Missing Authorization vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge CVE-2023-1334 RapidLoad Power-Up for Autoptimize <= 1.7.1 - Missing Authorization in 'queue_posts'

Identifiers

CVE CVE-2025-2848

CWE CWE-862

CVSS 6.3 / MEDIUM

Affected versions

Vendor Synology

Product Synology Mail Server

Affected < 1.7.6-10676

Vendor Synology

Product Synology Mail Server

Affected < 1.7.6-20676