Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN523 _____________________________________________________________________ DATE : 18/08/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running BeeDrive for desktop versions prior to 1.4.2-13960, 1.4.3-13973. ===================================================================== https://www.synology.com/fr-fr/security/advisory/Synology_SA_25_08 https://www.synology.com/fr-fr/security/advisory/Synology_SA_25_09 _____________________________________________________________________ Synology-SA-25:08 BeeDrive for desktop Publish Time: 2025-07-22 13:34:11 UTC+8 Last Updated: 2025-07-22 13:34:11 UTC+8 Severity Important Status Resolved Abstract Synology has released a security update for the BeeDrive desktop tool on Windows to address multiple vulnerabilities: CVE-2025-54158 allows local users to execute arbitrary code. CVE-2025-54159 allows remote attackers to delete arbitrary files. CVE-2025-54160 allows local users to execute arbitrary code. Please refer to the 'Affected Products' table for the corresponding updates. Affected Products Product Severity Fixed Release Availability BeeDrive for desktop Important Upgrade to 1.4.2-13960 or above. Mitigation None Detail CVE-2025-54158 Severity: Important CVSS3 Base Score: 7.8 CVSS3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CWE-306: Missing Authentication for Critical Function ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2025-54159 Severity: Important CVSS3 Base Score: 7.5 CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CWE-862: Missing Authorization ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2025-54160 Severity: Important CVSS3 Base Score: 7.8 CVSS3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Acknowledgement CVE-2025-54158 : Zhao Runzi (赵润梓), 李建申(https://lsr00ter.github.io) CVE-2025-54159, CVE-2025-54160 : Zhao Runzi (赵润梓) Revision Revision Date Description 1 2025-07-22 Initial public release. _____________________________________________________________________ Synology-SA-25:09 BeeDrive for desktop Publish Time: 2025-08-12 16:19:04 UTC+8 Last Updated: 2025-08-12 16:19:04 UTC+8 Severity Moderate Status Resolved Abstract Synology has released a security update for the BeeDrive desktop tool on Windows to address a vulnerability: CVE-2025-8074 allows local users to write arbitrary files with non-sensitive information. Please refer to the 'Affected Products' table for the corresponding updates. Affected Products Product Severity Fixed Release Availability BeeDrive for desktop Moderate Upgrade to 1.4.3-13973 or above. Mitigation None Detail CVE-2025-8074 Severity: Moderate CVSS3 Base Score: 5.6 CVSS3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H CWE-346: Origin Validation Error ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Acknowledgement Sheikh Rishad Revision Revision Date Description 1 2025-08-12 Initial public release. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================