Synology has addressed a critical-severity remote code execution (RCE) vulnerability in BeeStation products that was demonstrated at the recent Pwn2Own hacking competition.
The security issue (CVE-2025-12686) is described as a ‘buffer copy without checking the size of input’ problem, and can be exploited to allow arbitrary code execution.
It impacts multiple versions of BeeStation OS, the software powering Synology’s network-attached storage (NAS) devices marketed as a consumer-oriented “personal cloud.”
There are no mitigations available, so the vendor recommends that users upgrade to the following versions, which address :
- BeeStation OS version 1.3.2-65648 or above
- BeeStation OS version 1.3.2-65648 or above
- BeeStation OS version 1.3.2-65648 or above
- BeeStation OS version 1.3.2-65648 or above
Researchers Tek and anyfun at French cybersecurity company Synacktiv exploited the flaw in a demonstration during the Pwn2Own Ireland 2025 contest on October 21st. For their successful exploitation, the two researchers received a $40,000 reward.
