Synology Patches Critical BeeStation Flaws Exposed at Pwn2Own

Synology has rolled out a critical security update for its BeeStation personal cloud devices, addressing a serious remote code execution vulnerability that was publicly demonstrated at the Pwn2Own hacking contest. This flaw, tracked as CVE-2025-12686, stems from a buffer copy operation that fails to check input size, potentially allowing attackers to run arbitrary code on affected systems. The issue impacts several versions of BeeStation OS, the software running on Synology’s consumer-focused network-attached storage units.

Because no temporary workarounds exist, Synology urges all BeeStation users to upgrade immediately to BeeStation OS version 1.3.2-65648 or later to protect their devices. The vulnerability was successfully exploited live by researchers Tek and anyfun from the French security firm Synacktiv during Pwn2Own Ireland 2025 on October 21st. Their demonstration earned them a $40,000 prize.

Pwn2Own, a three-day event organized by Trend Micro and the Zero Day Initiative (ZDI), invites security experts to uncover and demonstrate previously unknown vulnerabilities in widely used products. The Ireland edition saw participants reveal 73 distinct zero-day flaws across various devices, with total rewards exceeding one million dollars.

This disclosure follows a similar recent action by another NAS manufacturer, QNAP, which patched seven zero-day vulnerabilities after they were showcased at the same event. Under Pwn2Own’s coordinated disclosure policy, technical details of the BeeStation flaw are withheld until a patch is released and users have adequate time to install it. Further information about the vulnerability is expected to appear on ZDI’s advisory platform and possibly on the researchers’ own blogs in the coming months.

(Source: Bleeping Computer)