Synology fixed a critical BeeStation RCE flaw (CVE-2025-12686) shown at Pwn2Own, caused by unchecked buffer input allowing code execution.
Synology patched a critical remote code execution (RCE) flaw, tracked as CVE-2025-12686 (CVSS score 9.8), in BeeStation, demonstrated during the hacking competition Pwn2Own Ireland 2025. BeeStation is a plug-and-play device that turns traditional storage into a personal cloud server. The vulnerability is caused by improper buffer size checks, allowing arbitrary code execution.
“CVE-2025-12686 allows remote attackers to execute arbitrary code.” reads the advisory.
The flaw affects the following products:
| Product | Severity | Fixed Release Availability |
|---|---|---|
| BeeStation OS 1.3 | Critical | Upgrade to 1.3.2-65648 or above. |
| BeeStation OS 1.2 | Critical | Upgrade to 1.3.2-65648 or above. |
| BeeStation OS 1.1 | Critical | Upgrade to 1.3.2-65648 or above. |
| BeeStation OS 1.0 | Critical | Upgrade to 1.3.2-65648 or above. |
Pwn2Own Ireland 2025 wrapped up with $1,024,750 awarded for 73 unique zero-days.
Pwn2Own Ireland 2025 included eight categories of exploits targeting flagship smartphones (Galaxy S25, iPhone 16, Pixel 9), printers, network storage, home networking gear, messaging apps, smart home and surveillance devices, plus wearables like Meta Quest 3/3S and Ray-Ban Smart Glasses.
The Summoning Team won the Master of Pwn title for outstanding exploits across multiple categories, showcasing exceptional research and preparation.
This week, Taiwanese vendor QNAP also patched the zero-day vulnerabilities exploited at Pwn2Own Ireland 2025. The flaws affected QTS, QuTS hero, Hyper Data Protector, Malware Remover, and HBS 3 Hybrid Backup Sync.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, CVE-2025-12686)
