A classic buffer overflow in the AdminCenter component of Synology BeeStation Manager (BSM) and BeeStation OS lets remote attackers execute arbitrary code with no authentication or user interaction required.
What Is It
CVE-2025-12686 is a CWE-120 "Classic Buffer Overflow"; a buffer copy without checking the size of input; located in AdminCenter, the management interface of Synology's BeeStation product line. According to Synology's advisory, unspecified vectors allow remote attackers to trigger the overflow and execute arbitrary code on the affected device.
The CVE carries a CVSS 3.1 base score of 9.8 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, meaning the vulnerability is network-reachable, requires low attack complexity, needs no privileges, and needs no user interaction; while fully compromising confidentiality, integrity, and availability of the target.
Why It Matters
BeeStation is Synology's consumer-oriented personal cloud storage appliance. AdminCenter is the device's primary administrative surface, and a pre-auth remote code execution flaw there effectively hands full control of the appliance, and the personal files on it, to anyone who can reach the management interface over the network.
There is no entry in CISA's Known Exploited Vulnerabilities (KEV) catalog for this CVE at time of writing, so active in-the-wild exploitation is not currently confirmed by CISA. However, the combination of unauthenticated network attack vector, low complexity, and arbitrary code execution on an internet-adjacent storage device makes this an attractive target.
What's Vulnerable
Per the NVD record, the following are affected:
- Synology BeeStation Manager (BSM): all versions before
1.3.2-65648 - Synology BeeStation OS: all versions before
1.3.2-65648
The vulnerable code path lives in the AdminCenter component on both product lines.
Patch Status
Synology has published fixed builds. Required action: upgrade to:
- BSM 1.3.2-65648 or later
- BeeStation OS 1.3.2-65648 or later
Until patched, exposure of the BeeStation management interface to untrusted networks (including the public internet) should be treated as high risk. Restrict network reachability of AdminCenter to trusted hosts where possible.