Synology Patches 10 CVEs Across NAS, BeeStation, and Backup Products, Including Critical RCE Bug
Synology released a coordinated batch of 10 security advisories on May 27, 2026, covering a critical buffer overflow in BeeStation OS and multiple high-severity flaws in DSM, Active Backup, and desktop apps.
Synology released a coordinated batch of security advisories on May 27, 2026, covering 10 vulnerabilities across its ecosystem of NAS appliances, BeeStation devices, backup agents, and desktop utilities. The batch includes one Critical-severity flaw (CVSS 9.8), three High-severity bugs, and six Medium-severity issues, spanning products from DiskStation Manager (DSM) to the consumer-focused BeeDrive desktop client.
The most severe vulnerability is CVE-2025-12686, a classic buffer overflow in the AdminCenter component of Synology BeeStation OS before version 1.3.2-65648. With a CVSS score of 9.8, the flaw allows remote attackers to execute arbitrary code on affected BeeStation devices via unspecified vectors. BeeStation is Synology's all-in-one personal cloud appliance aimed at home users, making this a particularly concerning target for remote compromise.
Two High-severity vulnerabilities affect core Synology identity and access management components. CVE-2025-13392 (CVSS 8.1) is an improper exception-handling flaw in the SSO module of DSM, allowing attackers with prior knowledge of a user's distinguished name (DN) to bypass authentication entirely. CVE-2025-14713 (CVSS 7.5) targets the C2 Identity Edge Server package in DSM, exposing a dangerous method that allows remote attackers to obtain user credentials from the edge server.
CVE-2025-30028 (CVSS 8.6) affects Synology Active Backup for Business, allowing unauthorized remote attackers to read arbitrary files on the system. Active Backup for Business is widely deployed in SMB environments to back up Windows, Linux, and macOS endpoints, making this a high-impact information-disclosure vector.
A cluster of three Medium-severity vulnerabilities — CVE-2025-66593 (Synology Assistant), CVE-2025-66592 (Active Backup for Business Agent), and CVE-2025-13593 (ActiveProtect Agent) — all share the same root cause: an origin validation error that allows local users to write arbitrary files with restricted content during installation. These bugs affect Synology Assistant before 7.0.6-50085, Active Backup for Business Agent before 3.1.0-4967, and ActiveProtect Agent before 1.1.0-0439, respectively.
Additional Medium-severity bugs include CVE-2025-10466, a stored cross-site scripting vulnerability in Synology Safe Access, and two flaws in the Synology BeeDrive for desktop application: CVE-2024-11399 (files accessible to external parties in redis-server) and CVE-2023-52945 (uncontrolled search path in OpenSSL DLL, rated High).
Synology has released patched versions for all affected products. Users should update BeeStation OS to 1.3.2-65648, DSM to 7.2.2-72806-5 or 7.3.1-86003-1, Active Backup for Business to the latest version, and other affected software to the specified minimum versions. This disclosure is notable for its breadth, touching consumer, SMB, and enterprise tiers, and the three origin-validation bugs in installation agents suggest a systemic weakness in how Synology's installers validate their sources.