Critical severity9.8NVD Advisory· Published May 27, 2026

CVE-2025-12686

Description

Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in AdminCenter in Synology BeeStation Manager (BSM) before 1.3.2-65648 and Synology BeeStation OS before 1.3.2-65648 allows remote attackers to execute arbitrary code via unspecified vectors.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Buffer overflow in Synology BeeStation AdminCenter allows unauthenticated remote code execution in versions before 1.3.2-65648.

Vulnerability

A classic buffer overflow vulnerability (CWE-120) exists in the AdminCenter component of Synology BeeStation Manager (BSM) and BeeStation OS prior to version 1.3.2-65648 [1]. The vulnerability allows remote attackers to execute arbitrary code via unspecified vectors [1]. Affected products include BSM 1.3, 1.2, 1.1, and 1.0, all of which require an upgrade to 1.3.2-65648 or above [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N) [1]. No user interaction or special privileges are required. The exact sequence of steps is not disclosed in the available references, but the vulnerability is triggered by sending crafted input to the AdminCenter [1].

Impact

Successful exploitation allows an attacker to execute arbitrary code on the affected BeeStation device [1]. This leads to full compromise of confidentiality, integrity, and availability, with a CVSS base score of 9.8 (Critical) [1].

Mitigation

Synology has released fixed versions: BeeStation OS 1.3.2-65648 (and corresponding BSM update) [1]. Users should upgrade immediately to the latest version. No workarounds are provided [1].

References

Synology_SA_25_12 | Synology Inc.

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Synology/BeeStation OS (BSM)llm-fuzzy
Range: <1.3.2-65648

Patches

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

www.synology.com/en-global/security/advisory/Synology_SA_25_12nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000