BeeStation OS buffer copy RCE (CVE-2025-12686)
Vulnerability
Summary
Hide ▲
Show ▼
Synology BeeStation OS is affected by CVE-2025-12686, a critical buffer copy without checking the size of input flaw that can lead to arbitrary code execution across multiple versions. Synology says there are no mitigations available, so users must upgrade to BeeStation OS 1.3.2-65648 or above. The vulnerability was publicly demonstrated at Pwn2Own Ireland 2025, underscoring that the issue is exploitable.
Timeline
-
12.11.2025 00:34 1 articles · 6mo ago
Synacktiv demonstrates CVE-2025-12686 at Pwn2Own Ireland 2025
Exploitation ObservedTek and anyfun of Synacktiv demonstrated CVE-2025-12686 against Synology BeeStation products during Pwn2Own Ireland 2025, showing that the buffer copy without checking the size of input flaw can enable arbitrary code execution. The successful exploitation earned the researchers a $40,000 reward.
Show sources
- Synology fixes BeeStation zero-days demoed at Pwn2Own Ireland — www.bleepingcomputer.com — 12.11.2025 00:34
-
12.11.2025 00:34 2 articles · 6mo ago
Synology patches BeeStation OS RCE and requires upgrade
Mitigation Patch UpdateSynology addressed the critical-severity RCE in BeeStation products by requiring affected users to upgrade to BeeStation OS version 1.3.2-65648 or above. No mitigations are available for the vulnerability, which impacts multiple versions of BeeStation OS.
Show sources
- Synology fixes BeeStation zero-days demoed at Pwn2Own Ireland — www.bleepingcomputer.com — 12.11.2025 00:34
- Synology fixes BeeStation zero-days demoed at Pwn2Own Ireland — www.bleepingcomputer.com — 12.11.2025 00:34