Ethical Hacking News
Synology has patched a critical remote code execution (RCE) flaw in BeeStation, demonstrated during Pwn2Own Ireland 2025. The CVE-2025-12686 vulnerability allows arbitrary code execution due to improper buffer size checks. Users of affected products are advised to apply the patch immediately.
Synology has addressed a critical remote code execution (RCE) flaw in its BeeStation OS. The vulnerability, tracked as CVE-2025-12686, has a CVSS score of 9.8 and allows remote attackers to execute arbitrary code. A patch for the BeeStation OS 1.3, 1.2, 1.1, and 1.0 variants is now available. Users of these products must apply this update immediately to prevent potentially catastrophic consequences.
Pierluigi Paganini
November 12, 2025
In a recent development that has left the cybersecurity community on high alert, Synology has taken decisive action to address a critical remote code execution (RCE) flaw, tracked as CVE-2025-12686. This vulnerability was specifically highlighted at Pwn2Own Ireland 2025, a prestigious hacking competition where numerous zero-day exploits were demonstrated.
The Synology BeeStation RCE flaw is considered to be of the highest severity, with a CVSS score of 9.8. This designation underscores the significant risk posed by this vulnerability, which allows remote attackers to execute arbitrary code on vulnerable systems. The root cause of this critical issue lies in improper buffer size checks, which essentially grant attackers carte blanche to inject malicious code into the system.
In response to this critical finding, Synology has issued a patch for the BeeStation OS 1.3, 1.2, 1.1, and 1.0 variants, which can be applied by upgrading to version 1.3.2-65648 or above. It is essential for users of these products to take immediate action to apply this update, as delaying could result in potentially catastrophic consequences.
The Synology BeeStation RCE flaw has been thoroughly analyzed and exploited during the Pwn2Own Ireland 2025 event, which saw a total of $1,024,750 awarded to researchers who identified unique zero-days. The competition not only provided an opportunity for hackers to showcase their skills but also shed light on critical vulnerabilities that need to be addressed promptly.
Pwn2Own Ireland 2025 covered eight different categories of exploits targeting prominent devices and systems, including flagship smartphones (Galaxy S25, iPhone 16, Pixel 9), printers, network storage, home networking gear, messaging apps, smart home and surveillance devices, plus wearables like Meta Quest 3/3S and Ray-Ban Smart Glasses.
The event was won by the Summoning Team for their outstanding exploits across multiple categories, showcasing exceptional research and preparation. The recognition of this team underscores the importance of cybersecurity awareness and expertise in identifying vulnerabilities before they can be exploited.
In addition to Synology, QNAP also took steps to address vulnerabilities demonstrated at Pwn2Own Ireland 2025. Their patches targeted various zero-day flaws that affected their software, including QTS, QuTS Hero, Hyper Data Protector, Malware Remover, and HBS 3 Hybrid Backup Sync.
The critical BeeStation RCE flaw highlighted by Synology serves as a stark reminder of the importance of keeping software up to date and addressing potential vulnerabilities promptly. This incident underscores the significance of cybersecurity vigilance and highlights the need for continuous monitoring of system updates and patches.
In conclusion, Synology's swift response to address the critical BeeStation RCE flaw demonstrated at Pwn2Own Ireland 2025 is a testament to their commitment to security. As users of Synology products, it is imperative that they take proactive measures to apply this update and ensure their systems are protected against potential threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Synology-Patches-Critical-BeeStation-RCE-Flaw-Exploited-at-Pwn2Own-Ireland-2025-ehn.shtml
https://securityaffairs.com/184528/security/synology-patches-critical-beestation-rce-flaw-shown-at-pwn2own-ireland-2025.html
Published: Wed Nov 12 04:34:17 2025 by llama3.2 3B Q4_K_M
