Synology has patched multiple critical vulnerabilities in BeeStation OS following their public exploitation during the Pwn2Own Ireland 2025 competition. The flaws, collectively known as the Synology BeeStation zero-days, allowed remote attackers to execute arbitrary code on affected NAS devices.
Critical RCE Flaw Demonstrated Live
The main vulnerability, tracked as CVE-2025-12686, was caused by a buffer copy issue that failed to verify input size. This weakness enabled researchers from the French cybersecurity firm Synacktiv to achieve remote code execution during the live Pwn2Own event. Their successful demonstration earned them a $40,000 reward and led Synology to prioritize a security patch.
Affected Versions and Updates
The flaws impacted several BeeStation OS releases used in consumer-oriented NAS systems marketed as personal cloud storage. Synology advised users to upgrade to BeeStation OS 1.3.2-65648 or later, as no mitigation measures exist for earlier versions. The company emphasized that timely patching remains the only way to secure affected systems.
Broader Context at Pwn2Own Ireland
Pwn2Own Ireland 2025, organized by Trend Micro’s Zero Day Initiative (ZDI), showcased 73 zero-day vulnerabilities across popular consumer devices. Researchers collectively won over $1 million during the three-day contest. The event reinforces the growing role of ethical hacking in exposing critical security flaws before they can be exploited by threat actors.
Just days before Synology’s fix, another NAS manufacturer, QNAP, addressed seven zero-day vulnerabilities revealed during the same competition. These consecutive discoveries highlight the ongoing security challenges within network-attached storage systems.
Responsible Disclosure and Next Steps
Under ZDI’s disclosure agreement, technical details of the BeeStation vulnerabilities remain confidential until Synology confirms that users have widely applied the patch. The organization plans to release detailed advisories once sufficient update adoption is confirmed. Security researchers are also expected to publish technical analyses later through their blogs.
Conclusion
The patch for the Synology BeeStation zero-days underscores the vital collaboration between ethical hackers and vendors. Pwn2Own continues to demonstrate how proactive vulnerability research strengthens cybersecurity across industries. Users are strongly urged to update their BeeStation OS immediately to eliminate exposure to remote code execution attacks.
0 responses to “Synology Patches BeeStation Zero-Days Exposed at Pwn2Own Ireland”