Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN479
_____________________________________________________________________

DATE                : 30/07/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running BeeDrive for desktop versions
                                  prior to 1.4.2-13960.

=====================================================================
https://www.synology.com/fr-fr/security/advisory/Synology_SA_25_08
_____________________________________________________________________

Synology-SA-25:08 BeeDrive for desktop

Publish Time: 2025-07-22 13:34:11 UTC+8

Last Updated: 2025-07-22 13:34:11 UTC+8

Severity
    Important

Status
    Resolved


Abstract

Synology has released a security update for the BeeDrive desktop
tool on Windows to address multiple vulnerabilities:

            CVE-2025-54158 allows local users to execute arbitrary
code.
            CVE-2025-54159 allows remote attackers to delete
arbitrary files.
            CVE-2025-54160 allows local users to execute arbitrary
code.

Please refer to the 'Affected Products' table for the corresponding
updates.


Affected Products

Product 	Severity 	Fixed Release Availability

BeeDrive for desktop 	Important 	Upgrade to 1.4.2-13960
or above.


Mitigation

None


Detail

    CVE-2025-54158
        Severity: Important
        CVSS3 Base Score: 7.8
        CVSS3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
        CWE-306: Missing Authentication for Critical Function
        ** RESERVED ** This candidate has been reserved by an
organization or individual that will use it when announcing a new
security problem. When the candidate has been publicized, the
details for this candidate will be provided.


    CVE-2025-54159
        Severity: Important
        CVSS3 Base Score: 7.5
        CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
        CWE-862: Missing Authorization
        ** RESERVED ** This candidate has been reserved by an
organization or individual that will use it when announcing a new
security problem. When the candidate has been publicized, the
details for this candidate will be provided.


    CVE-2025-54160
        Severity: Important
        CVSS3 Base Score: 7.8
        CVSS3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
        CWE-22: Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal')
        ** RESERVED ** This candidate has been reserved by an
organization or individual that will use it when announcing a new
security problem. When the candidate has been publicized, the
details for this candidate will be provided.


Acknowledgement

    CVE-2025-54158 : Zhao Runzi (赵润梓), 李建申（https://lsr00ter.github.io）

    CVE-2025-54159, CVE-2025-54160 : Zhao Runzi (赵润梓)


Revision

Revision 	Date 	Description

1 	2025-07-22 	Initial public release.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================