—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Remote Code Execution Vulnerability in Synology BeeStation 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

BeeStation OS 1.0, 1.1, 1.2, 1.3

Overview

A critical vulnerability has been reported in BeeStation OS, which may allow a remote attacker to execute arbitrary code on the targeted vulnerable system.

Target Audience:

Users of the affected BeeStation OS.

Risk Assessment:

High risk of arbitrary code execution, privilege escalation, and persistence.

Impact Assessment:

Potential for full system takeover, sensitive information disclosure, lateral movement and disruption of services.

Description

Synology BeeStation OS is an operating system designed for cloud-based file management.

The vulnerability exists due to a buffer copy without checking the size of the input, resulting in a classic buffer overflow condition.

Successful exploitation could allow an unauthenticated attacker to execute arbitrary code on the targeted system.

Solution

Upgrade to Synology BeeStation version 1.3.2-65648 or above.

Vendor Information

Synology

https://www.synology.com/en-global/security/advisory/Synology_SA_25_12

References

Synology

https://www.synology.com/en-global/security/advisory/Synology_SA_25_12

CVE Name

CVE-2025-12686

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmkV9ewACgkQ3jCgcSdc

ys+HRg//bATBIqyI6Lyw2wYosc9+Ju55ldJPPPKI7MDN3tglW8SUNqntFrs2m/Uo

Kip0GX1rVBSX5wAsHKDpLomwUteo9PsvN1p/DUaitlksrhC8irSy5WWan2Zq35av

OkpuA0iHnHL5k74XgEzTPXliQyyzaBkRJL83Unm4PZ8hWTTkqbYhiOrJ7NJqlont

HjXZ/i8zzzUjECUPFObAFFvytoQKEYJItYZqKkiSV8h81hwe6HeR0ZEDKeD1//xa

z6EzAkL3IZjr64em19rBQkmi+aTDEj3xzTcV14popkvpSxgPHjv3Dyizfr8J3NVt

tLQyEAj233ZbmERRlD4YQPVLBqFrCgmuCpdPhiQDc2iTRY4AlUbR8JdDb7lye7Gz

clnXxe/111e15mP3UsKjYIZFL30Ivtogxhn1IDGTJ0SwNWcWQ6vJfaSXngJaXY57

QtOc5Nk3PIUSbr3OrFA8jSSmsrYHHur+XEi5ILNONACLIqyey16orc4G8x9OOni1

wpsTCFSgyvVGTQQv6bHNFg5v9Q8Rft15RlpCXeTtcffXxcfmPfOPr0J1Y88MeDYG

9JJohbR7JjACrNXXAnq4U3S+Oa5Y4qTPy2yKBM56nicgh0uv5+kU2GrYrjjRfZER

ubwKkQUsavuQiAcQlu/xoNfmkXr03k93vNXadbq5jI25rOvKUYE=

=gFFT

—–END PGP SIGNATURE—–