VYPR
Vypr IntelligenceAI-generatedMay 31, 2026· 10 CVEs

Synology: 10 CVEs Disclosed Across NAS, BeeStation, and Backup Products

Synology patched 10 vulnerabilities on May 27, spanning DSM, BeeStation OS, Active Backup, and desktop apps, including a critical 9.8 buffer overflow in BeeStation AdminCenter.

Key findings

  • Critical buffer overflow (CVE-2025-12686, CVSS 9.8) in BeeStation OS AdminCenter allows remote code execution
  • SSO authentication bypass in DSM (CVE-2025-13392, CVSS 8.1) requires prior knowledge of a user's DN
  • Active Backup for Business (CVE-2025-30028, CVSS 8.6) allows unauthenticated remote file reads
  • Three separate agent installers share the same origin-validation bug class
  • BeeDrive desktop app patched for two bugs including an OpenSSL DLL hijacking flaw (CVE-2023-52945, CVSS 7.8)
  • All 10 CVEs were fixed in a single coordinated advisory on May 27, 2026

Synology released a coordinated batch of security advisories on May 27, 2026, covering 10 vulnerabilities across its ecosystem of NAS appliances, BeeStation devices, backup agents, and desktop utilities. The batch includes one Critical-severity flaw (CVSS 9.8), three High-severity bugs, and six Medium-severity issues, spanning products from DiskStation Manager (DSM) to the consumer-focused BeeDrive desktop client.

Critical buffer overflow in BeeStation AdminCenter

The most severe vulnerability in the batch is CVE-2025-12686, a classic buffer overflow in the AdminCenter component of Synology BeeStation OS before version 1.3.2-65648. With a CVSS score of 9.8, the flaw allows remote attackers to execute arbitrary code on affected BeeStation devices via unspecified vectors. BeeStation is Synology's all-in-one personal cloud appliance aimed at home users, making this a particularly concerning target for remote compromise.

Authentication bypass and credential exposure in DSM and C2 Identity

Two High-severity vulnerabilities affect core Synology identity and access management components. CVE-2025-13392 (CVSS 8.1) is an improper exception-handling flaw in the SSO module of DSM. Attackers with prior knowledge of a user's distinguished name (DN) can bypass authentication entirely. The vulnerability affects DSM versions before 7.2.2-72806-5 and 7.3.1-86003-1; version 7.2.1-69057 is not affected.

CVE-2025-14713 (CVSS 7.5) targets the C2 Identity Edge Server package in DSM before 1.76.0-0307. The vulnerability, classified as an exposed dangerous method or function, allows remote attackers to obtain user credentials from the edge server — a significant risk for organizations using Synology's cloud-identity bridging.

Arbitrary file read in Active Backup for Business

CVE-2025-30028 (CVSS 8.6) affects Synology Active Backup for Business, allowing unauthorized remote attackers to read arbitrary files on the system. Active Backup for Business is widely deployed in SMB environments to back up Windows, Linux, and macOS endpoints, making this a high-impact information-disclosure vector.

Install-time origin validation errors across multiple agents

A cluster of three Medium-severity vulnerabilities — CVE-2025-66593 (Synology Assistant, CVSS 6.1), CVE-2025-66592 (Active Backup for Business Agent, CVSS 6.1), and CVE-2025-13593 (ActiveProtect Agent, CVSS 6.1) — all share the same root cause: an origin validation error that allows local users to write arbitrary files with restricted content during the installation process. These bugs affect Synology Assistant before 7.0.6-50085, Active Backup for Business Agent before 3.1.0-4967, and ActiveProtect Agent before 1.1.0-0439, respectively.

Cross-site scripting and denial-of-service in Safe Access and BeeDrive

CVE-2025-10466 (CVSS 5.9) is a stored cross-site scripting vulnerability in Synology Safe Access before 1.3.1-0329. It requires remote authenticated users with administrator privileges to exploit, and could allow reading or writing specific files containing non-sensitive information or conducting limited denial-of-service.

Two additional Medium-severity bugs affect the Synology BeeDrive for desktop application (before 1.3.2-13814). CVE-2024-11399 (CVSS 6.8) involves files or directories accessible to external parties in the redis-server component, enabling local denial-of-service attacks. CVE-2023-52945 (CVSS 7.8, High) is an uncontrolled search path element vulnerability in the OpenSSL DLL component, allowing local users to execute arbitrary code.

Patch status and recommendations

Synology has released patched versions for all affected products. Users should update to the following minimum versions:

  • BeeStation OS: 1.3.2-65648 (fixes CVE-2025-12686)
  • DSM (SSO): 7.2.2-72806-5 or 7.3.1-86003-1 (fixes CVE-2025-13392)
  • DSM (C2 Identity Edge Server): 1.76.0-0307 (fixes CVE-2025-14713)
  • Active Backup for Business: patched version (fixes CVE-2025-30028)
  • Active Backup for Business Agent: 3.1.0-4967 (fixes CVE-2025-66592)
  • Synology Assistant: 7.0.6-50085 (fixes CVE-2025-66593)
  • ActiveProtect Agent: 1.1.0-0439 (fixes CVE-2025-13593)
  • Safe Access: 1.3.1-0329 (fixes CVE-2025-10466)
  • BeeDrive for desktop: 1.3.2-13814 (fixes CVE-2024-11399 and CVE-2025-52945)

Why this batch matters

This disclosure is notable for its breadth: Synology's product line spans consumer, SMB, and enterprise use cases, and the batch touches nearly every tier. The Critical buffer overflow in BeeStation is especially concerning for home users who may not apply updates promptly, while the SSO authentication bypass and Active Backup file-read flaw pose serious risks in managed environments. The three origin-validation bugs in installation agents suggest a systemic weakness in how Synology's desktop and agent installers validate their sources — a pattern worth watching in future advisories.

AI-written article. Grounded in 10 CVE records listed below.