Synology Security Advisory-25:08 BeeDrive for Desktop
Security update for BeeDrive desktop tool on Windows to address multiple vulnerabilities
This is a Press Release edited by StorageNewsletter.com on August 1, 2025 at 2:01 pmSynology, Inc. had published a security advisory concerning resolved vulnerabilities in BeeDrive desktop tool on Windows.
Publish Time: 2025-07-22 13:34:11 UTC+8
Last Updated: 2025-07-22 13:34:11 UTC+8
Severity: Important
Status: Resolved
Abstract
Synology has released a security update for the BeeDrive desktop tool on Windows to address multiple vulnerabilities:
-
-
- CVE-2025-54158 allows local users to execute arbitrary code.
- CVE-2025-54159 allows remote attackers to delete arbitrary files.
- CVE-2025-54160 allows local users to execute arbitrary code.
-
Refer to the ‘Affected Products’ table for the corresponding updates.
Affected Products
|
Product |
Severity |
Fixed Release Availability |
|---|---|---|
|
BeeDrive for desktop |
Important |
Upgrade to 1.4.2-13960 or above. |
Mitigation: None
Detail
-
CVE-2025-54158
- Severity: Important
- CVSS3 Base Score: 7.8
- CVSS3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- CWE-306: Missing Authentication for Critical Function
- ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
-
CVE-2025-54159
- Severity: Important
- CVSS3 Base Score: 7.5
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- CWE-862: Missing Authorization
- ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
-
CVE-2025-54160
- Severity: Important
- CVSS3 Base Score: 7.8
- CVSS3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
- ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
Acknowledgement
- CVE-2025-54158 : Zhao Runzi (赵润梓), 李建申(https://lsr00ter.github.io)
- CVE-2025-54159, CVE-2025-54160 : Zhao Runzi (赵润梓)
Revision
|
Revision |
Date |
Description |
|---|---|---|
|
1 |
2025-07-22 |
Initial public release. |
Share this news :
Subscribe to our free daily newsletter
