Synology Patches BeeStation Zero-Day (CVE-2025-12686) Exposed at Pwn2Own 2025
Synology has patched a zero-day vulnerability in its BeeStation devices, demonstrated at the recent Pwn2Own competition. The flaw, assigned CVE-2025-12686, falls under the category of “buffer copy without input-size validation,” enabling an attacker to execute arbitrary code on the target system.
The issue affects multiple versions of BeeStation OS, the operating system that powers Synology’s consumer-grade network storage devices and is marketed as a “personal cloud.” The fix is included in BeeStation OS version 1.3.2-65648 and later. As no temporary mitigations exist, users are strongly urged to install the updated firmware without delay.
The vulnerability was showcased by researchers Tek and anyfun from the French firm Synacktiv during the Pwn2Own Ireland 2025 competition held on October 21. Their successful exploitation earned the team a $40,000 reward.
Pwn2Own annually brings together security specialists from around the globe, giving them a stage on which to demonstrate zero-day exploits in widely used devices. At the recent event in Ireland, participants uncovered 73 previously unknown vulnerabilities across a range of products and collectively earned more than one million dollars.
Just a week earlier, another major NAS manufacturer, QNAP, released patches addressing seven zero-day vulnerabilities discovered at the same competition.
In accordance with its disclosure policy, the Zero Day Initiative (ZDI) refrains from publishing technical details until fixes are available and users have had sufficient time to update. Full technical analyses are expected to appear on the initiative’s website and in researchers’ blogs in the coming months.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
