Description
Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in AdminCenter in Synology BeeStation Manager (BSM) before 1.3.2-65648 and Synology BeeStation OS before 1.3.2-65648 allows remote attackers to execute arbitrary code via unspecified vectors.
Published: 2026-05-27
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A classic buffer overflow occurs in the AdminCenter component of Synology BeeStation Manager (BSM) and BeeStation OS when data is copied into a buffer without proper size validation. The flaw allows an attacker to overwrite critical memory structures and execute arbitrary code, compromising the integrity and availability of the affected device.

Affected Systems

Synology’s BeeStation Manager (BSM) and BeeStation OS are vulnerable in all releases dated before version 1.3.2‑65648. Users of older firmware are at risk until they upgrade beyond this build.

Risk and Exploitability

The potential impact is reflected in a CVSS base score of 9.8, indicating a very severe risk. The EPSS score is not available, and the vulnerability is not yet listed in the CISA KEV catalog. Because the description indicates that remote attackers can exploit the flaw via unspecified vectors, it is inferred that the attack is carried out over the network, likely through the AdminCenter management interface. The lack of an official workaround means that the safest mitigations rely on applying the vendor patch or cutting off external access.

Generated by OpenCVE AI on May 27, 2026 at 10:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Synology BeeStation Manager and BeeStation OS to version 1.3.2‑65648 or later to apply the vendor fix.
  • If an update cannot be performed immediately, restrict access to the AdminCenter interface to trusted IP addresses or network segments.
  • Disable the AdminCenter service if it is not required for your operation, reducing the attack surface.

Generated by OpenCVE AI on May 27, 2026 at 10:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Buffer Overflow in Synology BeeStation Manager/AdminCenter

Wed, 27 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in AdminCenter in Synology BeeStation Manager (BSM) before 1.3.2-65648 and Synology BeeStation OS before 1.3.2-65648 allows remote attackers to execute arbitrary code via unspecified vectors.
Weaknesses CWE-120
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: synology

Published:

Updated: 2026-05-27T13:44:11.255Z

Reserved: 2025-11-04T06:21:03.851Z

Link: CVE-2025-12686

cve-icon Vulnrichment

Updated: 2026-05-27T13:44:02.737Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T09:16:26.357

Modified: 2026-05-27T14:54:20.160

Link: CVE-2025-12686

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:30:28Z

Weaknesses