CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-12686

CVSS 9.8v3.1pub. 2026-05-27upd. 2026-06-05

Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in AdminCenter in Synology BeeStation OS before 1.3.2-65648 allows remote attackers to execute arbitrary code via unspecified vectors.

🤖 AI Analysis
How it works

The vulnerability results from lack of input data size verification before copying it to a memory buffer (CWE-120 — Classic Buffer Overflow). An attacker can send a specially crafted network request to the AdminCenter component, causing a buffer overflow. This allows overwriting memory areas and taking control of code execution on the device. The attack requires no authentication or user interaction.

Impact

An attacker can remotely execute arbitrary code on the device with AdminCenter process privileges, which in practice can lead to complete takeover of the device, loss of data confidentiality, and violation of system integrity and availability.

Mitigation & patch

Synology BeeStation OS should be updated to version 1.3.2-65648 or later. Details are available in the official security bulletin from the manufacturer: https://www.synology.com/en-global/security/advisory/Synology_SA_25_12

Who is affected

Synology BeeStation OS versions earlier than 1.3.2-65648

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Synology Beestation Os

    OS
    Synology
    1.0 – 1.3.2 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCEMemory
CWE
References

Related vulnerabilities

CVE-2024-10441CRITICAL9.8PL ✓ten sam produkt

RCE w Synology BeeStation OS i DSM — błąd kodowania wyjścia w systemowym daemonie

CVE-2024-10443CRITICAL9.8PL ✓ten sam produkt

OS Command Injection w Synology BeePhotos i Synology Photos — RCE bez uwierzytelnienia

CVE-2024-10445MEDIUM4.3ten sam produkt

Improper certificate validation vulnerability in the update functionality in Synology BeeStation OS (BSM) befo...

CVE-2024-50629MEDIUM5.3ten sam produkt

Improper encoding or escaping of output vulnerability in the webapi component in Synology BeeStation OS (BSM) ...

CVE-2024-45538CRITICAL9.6PL ✓ten sam vendor

CSRF umożliwiający RCE w Synology DiskStation Manager i Unified Controller