CVE-2025-12686
published 2026-05-27CVE-2025-12686: Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in AdminCenter in Synology BeeStation OS before 1.3.2-65648 allows remote…
PriorityP358critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.76%
84.4th percentile
Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in AdminCenter in Synology BeeStation OS before 1.3.2-65648 allows remote attackers to execute arbitrary code via unspecified vectors.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| synology | beestation_os | >= 1.0 < 1.3.2-65648 | 1.3.2-65648 |
| synology | beestation_os | >= 1.0 < 1.3.2 | 1.3.2 |
| synology | beestation_os | >= 1.1 < 1.3.2-65648 | 1.3.2-65648 |
| synology | beestation_os | >= 1.2 < 1.3.2-65648 | 1.3.2-65648 |
| synology | beestation_os | >= 1.3 < 1.3.2-65648 | 1.3.2-65648 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Synology BeeStation Plus auth_info stack-based overflow (ZDI-25-1039)
vuldb·2026-06-07·CVSS 9.8
CVE-2025-12686 [CRITICAL] Synology BeeStation Plus auth_info stack-based overflow (ZDI-25-1039)
A vulnerability was found in Synology BeeStation Plus. It has been classified as critical. Impacted is an unknown function. Performing a manipulation of the argument auth_info results in stack-based buffer overflow.
This vulnerability is known as CVE-2025-12686. Remote exploitation of the attack is possible. No exploit is available.
Upgrading the affected component is recommended.
GHSA
GHSA-9f49-q57w-cw53: Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in AdminCenter in Synology BeeStation Manager (BSM) before 1
ghsa_unreviewed·2026-05-27
CVE-2025-12686 [CRITICAL] CWE-120 GHSA-9f49-q57w-cw53: Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in AdminCenter in Synology BeeStation Manager (BSM) before 1
Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in AdminCenter in Synology BeeStation Manager (BSM) before 1.3.2-65648 and Synology BeeStation OS before 1.3.2-65648 allows remote attackers to execute arbitrary code via unspecified vectors.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-27
Published