How was the Synology BeeStation vulnerability discovered?

The vulnerability was discovered during the Pwn2Own 2025 competition in Ireland, a prominent security research competition where experts demonstrate zero-day vulnerabilities in various devices and software.

What type of vulnerability is CVE-2025-12686?

CVE-2025-12686 is a buffer overflow vulnerability that can be exploited over the network by unauthenticated remote attackers to execute arbitrary code on affected Synology BeeStation devices.

Who can exploit the Synology BeeStation vulnerability?

The vulnerability can be exploited by remote unauthenticated attackers. This means attackers do not need any credentials or prior access to the system and can exploit the vulnerability over the network, making it particularly dangerous.

Which versions of Synology BeeStation OS are vulnerable?

All versions of Synology BeeStation OS are vulnerable to CVE-2025-12686, including BeeStation OS 1.3, BeeStation OS 1.2, BeeStation OS 1.1, and BeeStation OS 1.0.

What should administrators do about CVE-2025-12686?

Administrators should verify that the available update has been applied on their BeeStation devices and upgrade to version 1.3.2-65648 or above immediately. If the update has not been automatically applied, administrators should manually install it as soon as possible and isolate their BeeStation from the internet until the patch is applied.

What is Synology BeeStation?

Synology BeeStation is a network-attached storage (NAS) device that runs BeeStation OS. The device is now affected by a critical buffer overflow vulnerability that allows remote code execution.

What is the severity of the Synology BeeStation vulnerability?

The vulnerability is critical-severity with a CVSS score of 9.8, which is near the maximum possible score. This high severity rating reflects the fact that the vulnerability allows unauthenticated remote attackers to execute arbitrary code on vulnerable devices, potentially leading to complete system compromise.

Should BeeStation devices be isolated from the internet?

Yes, administrators should isolate their BeeStation devices from the internet, especially if they have not yet applied the security update to version 1.3.2-65648 or above. This reduces the attack surface while the patch is being deployed.

Advisory

Synology patches critical remote code execution vulnerability in BeeStation OS

Q: What is CVE-2025-12686?

CVE-2025-12686 is a critical-severity vulnerability with a CVSS score of 9.8 affecting Synology BeeStation OS. It is a buffer overflow vulnerability that allows remote unauthenticated attackers to execute arbitrary code on vulnerable BeeStation network-attached storage devices. The vulnerability was discovered during the Pwn2Own 2025 competition in Ireland.

published: Nov. 11, 2025

Take action: If you have Synology BeeStation network storage devices, check whether it has updated to BeeStation OS version 1.3.2-65648 or later. If not, force the update. And make sure to isolate it from the internet. This flaw was demonstrated at the Pwn2Own hacking competition and will probably be exploited soon

Learn More

Synology has released a security update for its BeeStation OS to address a critical-severity vulnerability discovered during the Pwn2Own 2025 competition in Ireland that allows remote unauthenticated attackers to execute arbitrary code on vulnerable BeeStation network-attached storage devices.

The flaw is tracked as CVE-2025-12686 (CVSS score 9.8), a buffer overflow. vulnerability. The vulnerability allows unauthenticated remote attackers to exploit the buffer overflow condition over the network.

All versions of Synology BeeStation OS are vulnerable, including:

BeeStation OS 1.3
BeeStation OS 1.2
BeeStation OS 1.1
BeeStation OS 1.0

Synology has patched this vulnerability in BeeStation OS version 1.3.2-65648. Users should upgrade to version 1.3.2-65648 or above immediately.

Administrators should verify that the available update has been applied on their BeeStation devices. If the update has not been automatically applied, administrators should manually install it as soon as possible and isolate their BeeStation from the internet.

Synology patches critical remote code execution vulnerability in BeeStation OS

Read More
Critical Command Injection Vulnerability in Legacy Vivotek Cameras
CISA reports active exploitation of Oracle AgilePLM flaws
Rapid7 Velociraptor vulnerability actively exploited in ransomware campaigns
Security rearchers discover old critical flaw still active …
BeyondTrust Patches Critical Pre-Authentication RCE Vulnerability in Remote …