Synology has patched a zero-day vulnerability in its BeeStation devices, demonstrated during the recent Pwn2Own competition. The bug, identified as CVE-2025-12686, falls under the category of “buffer copying without input size validation,” allowing an attacker to execute arbitrary code on the target system.
The issue affects several versions of BeeStation OS, the operating system that manages Synology consumer network attached storage (NAS) devices and is marketed as a “personal cloud.” A fix is included in the BeeStation OS update for versions 1.3.2-65648 and later. There are no other workarounds available, so users are advised to install the latest firmware immediately.
The vulnerability was demonstrated by researchers Tek and anyfun from the French company Synacktiv during the Pwn2Own Ireland 2025 competition, which took place on October 21. The team received a $40,000 reward for successfully exploiting the bug.
The Pwn2Own event annually brings together cybersecurity researchers from around the world, offering them the opportunity to demonstrate how to exploit zero-day vulnerabilities in popular devices. At the competition, held in Ireland, participants submitted 73 previously unknown flaws in various products, earning over a million dollars.
A week earlier, another major NAS device manufacturer, QNAP , had also released updates that addressed seven zero-day vulnerabilities discovered at the same event.
In accordance with the disclosure agreement, ZDI will refrain from publishing technical details until the patches are released and the user update period expires. Detailed descriptions of the vulnerabilities are expected to appear on the initiative’s website and researchers’ blogs in the coming months.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
