Description
Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in AdminCenter in Synology BeeStation OS before 1.3.2-65648 allows remote attackers to execute arbitrary code via unspecified vectors.
Published: 2026-05-27
Score: 9.8 Critical
EPSS: 2.8% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A classic buffer overflow flaw (CWE‑120) exists in the AdminCenter module of Synology BeeStation OS when user input is copied into a buffer without size validation. The vulnerability can be triggered remotely, allowing an attacker to overwrite critical memory and execute arbitrary code on the affected device. The impact is severe, with a CVSS base score of 9.8, underscoring the risk of full system compromise.

Affected Systems

Synology BeeStation OS firmware versions prior to 1.3.2‑65648 are vulnerable. Any installation running a firmware build dated before this release is at risk until an update is applied.

Risk and Exploitability

The EPSS score of 3% indicates a low but non‑zero likelihood of exploitation. The flaw is not yet listed in the CISA KEV catalog. Attackers are likely to exploit the vulnerability over the network via the AdminCenter management interface, though the specific vector is unspecified in the advisory. Without an official workaround, the safest mitigations involve applying the vendor patch or limiting external access to the vulnerable service.

Generated by OpenCVE AI on June 16, 2026 at 05:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Synology BeeStation OS to firmware version 1.3.2‑65648 or later to receive the vendor fix.
  • If an immediate update is not feasible, restrict access to the AdminCenter interface to trusted IP addresses or internal networks only.
  • If the AdminCenter service is not required, disable it to remove the attack surface.

Generated by OpenCVE AI on June 16, 2026 at 05:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Title Buffer Overflow in AdminCenter Allows Remote Code Execution in Synology BeeStation OS

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:synology:beestation_os:*:*:*:*:*:*:*:*

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Synology
Synology beestation Manager
Synology beestation Os
Vendors & Products Synology
Synology beestation Manager
Synology beestation Os

Wed, 27 May 2026 22:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Buffer Overflow in Synology BeeStation Manager/AdminCenter

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in AdminCenter in Synology BeeStation Manager (BSM) before 1.3.2-65648 and Synology BeeStation OS before 1.3.2-65648 allows remote attackers to execute arbitrary code via unspecified vectors. Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in AdminCenter in Synology BeeStation OS before 1.3.2-65648 allows remote attackers to execute arbitrary code via unspecified vectors.

Wed, 27 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Buffer Overflow in Synology BeeStation Manager/AdminCenter

Wed, 27 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in AdminCenter in Synology BeeStation Manager (BSM) before 1.3.2-65648 and Synology BeeStation OS before 1.3.2-65648 allows remote attackers to execute arbitrary code via unspecified vectors.
Weaknesses CWE-120
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Synology Beestation Manager Beestation Os
cve-icon MITRE

Status: PUBLISHED

Assigner: synology

Published:

Updated: 2026-05-27T15:13:20.556Z

Reserved: 2025-11-04T06:21:03.851Z

Link: CVE-2025-12686

cve-icon Vulnrichment

Updated: 2026-05-27T13:44:02.737Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T09:16:26.357

Modified: 2026-06-05T14:07:23.090

Link: CVE-2025-12686

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T05:45:03Z

Weaknesses
  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')