Synology closes critical Pwn2Own security vulnerability

IT security researchers discovered a security vulnerability classified as a critical risk in Synology's BeeStation at Pwn2Own 2025 in Ireland. Updates are ready to close it.

In a Synology security advisory, the manufacturer initially only describes that attackers can execute arbitrary code remotely (CVE-2025-12686, CVSS 9.8, risk “critical”). However, Synology also states that it is a vulnerability with the Common Weakness Enumeration (CWE) CWE-120: “Buffer copy without checking size of input ('Classic buffer overflow')”; described slightly less staccato as “the product copies an input buffer to an output buffer without checking if the size of the input buffer is smaller than the size of the output buffer.”

The security vulnerability affects the BeeStation OS 1.0, 1.1, 1.2, and 1.3 operating systems. Synology already released version BeeStation OS 1.3.2-65648 on October 30, which is intended to close the security gap.

Own Cloud

Synology advertises the BeeStations as systems for building your own private cloud -- explicitly as an alternative to public cloud systems. Synology targets both private users and families, as well as teams in a corporate environment. Admins should not hesitate and check if the available update has already arrived and is active on their BeeStation and, if necessary, manually proceed to install it.

In addition to the BeeStations, Qnap NAS products were a popular target at Pwn2Own 2025, which developers had to seal several security vulnerabilities for. Qnap is also still withholding the CVE entries themselves; they address vulnerabilities classified as critical risks, among others. In the previous year, Synology also closed security vulnerabilities that were demonstrated at the Pwn2Own event at the time.

(dmk)