Critical Synology BeeStation Zero-Day (CVE-2025-12686) Found at Pwn2Own Allows Remote Code Execution
Ddos 
Synology has released an urgent security update for its BeeStation OS, patching a zero-day vulnerability (CVE-2025-12686) that was successfully exploited by researchers during the Pwn2Own Ireland 2025 hacking competition. The flaw, rated CVSS 9.8 (Critical), allows remote attackers to execute arbitrary code on affected systems.
The vulnerability was demonstrated live on stage by security researchers @Tek_7987 and @_Anyfun from the Synacktiv offensive security team.
The critical flaw, now tracked as CVE-2025-12686, enables remote code execution (RCE) — one of the most dangerous classes of vulnerabilities — giving attackers full control over vulnerable devices once exploited.
“CVE-2025-12686 allows remote attackers to execute arbitrary code,” Synology stated.
According to Synology’s advisory, all major versions of BeeStation OS prior to the latest update are affected:
| Product | Severity | Fixed Release |
|---|---|---|
| BeeStation OS 1.3 | Critical | 1.3.2-65648 or above |
| BeeStation OS 1.2 | Critical | 1.3.2-65648 or above |
| BeeStation OS 1.1 | Critical | 1.3.2-65648 or above |
| BeeStation OS 1.0 | Critical | 1.3.2-65648 or above |
Related Posts:
- CVE-2024-10441 (CVSS 9.8): Synology Patches Critical Code Execution Flaw in Multiple Products
- Synology Issues Patches for Critical Camera Flaws Discovered at Pwn2Own
- Synology Camera Critical Vulnerabilities Patched: Upgrade Immediately
- Critical Flaw in Synology Camera Firmware Expose Devices to RCE and DoS Attacks
- Pwn2Own: Firefox Hacked with JavaScript Zero-Days – Details on the Exploits
Donate