Synology-SA-25:08 BeeDrive for desktop

Abstract

• CVE-2025-54158 allows local users to execute arbitrary code.
• CVE-2025-54159 allows remote attackers to delete arbitrary files.
• CVE-2025-54160 allows local users to execute arbitrary code.

Please refer to the 'Affected Products' table for the corresponding updates.

Affected Products

Mitigation

None

Detail

• CVE-2025-54158

  • Severity: Important
  • CVSS3 Base Score: 7.8
  • CVSS3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CWE-306: Missing Authentication for Critical Function
  • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

• CVE-2025-54159

  • Severity: Important
  • CVSS3 Base Score: 7.5
  • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • CWE-862: Missing Authorization
  • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

• CVE-2025-54160

  • Severity: Important
  • CVSS3 Base Score: 7.8
  • CVSS3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Acknowledgement

• CVE-2025-54158 : Zhao Runzi (赵润梓), 李建申（https://lsr00ter.github.io）
  

• CVE-2025-54159, CVE-2025-54160 : Zhao Runzi (赵润梓)

Revision