November 12, 2025 By Pierluigi Paganini
Synology fixed a critical BeeStation RCE flaw (CVE-2025-12686) shown at Pwn2Own, caused by unchecked buffer input allowing code execution.
Synology patched a critical remote code execution (RCE) flaw, tracked as CVE-2025-12686 (CVSS score 9.8), in BeeStation, demonstrated during the hacking competition Pwn2Own Ireland 2025. BeeStation is a plug-and-play device that turns traditional storage into a personal cloud server. The vulnerability is caused by improper buffer size checks, allowing arbitrary code execution.
“CVE-2025-12686 allows remote attackers to execute arbitrary code.” reads the advisory.
The flaw affects the following products:
| Product | Severity | Fixed Release Availability |
|---|---|---|
| BeeStation OS 1.3 | Critical | Upgrade to 1.3.2-65648 or above. |
| BeeStation OS 1.2 | Critical | Upgrade to 1.3.2-65648 or above. |
| BeeStation OS 1.1 | Critical | Upgrade to 1.3.2-65648 or above. |
| BeeStation OS 1.0 | Critical | Upgrade to 1.3.2-65648 or above. |
Pwn2Own Ireland 2025 wrapped up with $1,024,750 awarded for 73 unique zero-days.
Pwn2Own Ireland 2025 included eight categories of exploits targeting flagship smartphones (Galaxy S25, iPhone 16, Pixel 9), printers, network storage, home networking gear, messaging apps, smart home and surveillance devices, plus wearables like Meta Quest 3/3S and Ray-Ban Smart Glasses.
