Full Report
Synology has addressed a critical-severity remote code execution (RCE) vulnerability in BeeStation products that was demonstrated at the recent Pwn2Own hacking competition. [...]
Analysis Summary
# Vulnerability: Critical RCE in Synology BeeStation Products
## CVE Details
- CVE ID: CVE-2025-12686
- CVSS Score: Not explicitly stated, but described as **critical-severity**.
- CWE: Buffer copy without checking the size of input (Likely related to CWE-120: Buffer Copy without Checking Size of Input or CWE-787: Out-of-bounds Write)
## Affected Systems
- Products: Synology BeeStation products (running BeeStation OS)
- Versions: Prior to BeeStation OS version **1.3.2-65648**
- Configurations: Not specified, assumed applicable across affected versions.
## Vulnerability Description
The vulnerability is a buffer copy issue described as a “buffer copy without checking the size of input.” Successful exploitation allows an unauthenticated attacker to achieve **arbitrary code execution** on the affected system.
## Exploitation
- Status: **Demonstrated** via successful exploitation at Pwn2Own Ireland 2025.
- Complexity: Implied to be Low/Medium given the public demonstration for a $40,000 reward.
- Attack Vector: Remote (Implied by RCE context and Pwn2Own environment).
## Impact
- Confidentiality: High (Likely full system compromise possible)
- Integrity: High (Arbitrary code execution)
- Availability: High (System takeover/disruption)
## Remediation
### Patches
- BeeStation OS version **1.3.2-65648** or above. (Note: The briefing lists this version multiple times for different products/contexts, implying this is the general fix release.)
### Workarounds
- No specific mitigations were mentioned as available prior to patching. Immediate patching is recommended.
## Detection
- Detection methods and technical details (IOCs) are currently withheld by ZDI pending further disclosure timelines.
## References
- Vendor Advisory: hxxps://www.synology.com/en-us/security/advisory/Synology_SA_25_12
- Pwn2Own Event Details: hxxps://www.bleepingcomputer.com/news/security/hackers-earn-1-024-750-for-73-zero-days-at-pwn2own-ireland/