Security Intelligence
Loading table of contents...
At a glance: Synology patched a critical BeeStation OS vulnerability demonstrated live at Pwn2Own, caused by a buffer overflow that could enable remote code execution and full device compromise. Field Effect MDR users are automatically alerted if affected and should review related AROs for patch verification and remediation guidance.
Threat summary
On November 10, 2025, Synology issued a security advisory addressing a critical vulnerability in BeeStation OS, which had been publicly demonstrated weeks earlier at the Pwn2Own Ireland 2025 hacking competition.
BeeStation OS is Synology’s consumer-grade operating system designed for personal cloud storage and media management in BeeStation devices, which are frequently exposed to the internet to enable remote access and file sharing.
Like QNAP, another Taiwan-based network-attached storage (NAS) vendor, Synology issued its patch shortly after the exploit was demonstrated live by researchers from Synacktiv.
The vulnerability, tracked as CVE-2025-12686, affects BeeStation OS versions prior to 1.3.2-65648. It resulted from a classic buffer overflow condition (CWE-120) in the BeeStation web interface, where a buffer copy operation failed to validate input length. This allowed the attackers to overwrite memory and execute malicious code with elevated privileges.
The issue received a critical CVSS v3.1 base score of 9.8, as it is exploitable over the network with low complexity and requires no user interaction. In the worst-case scenario, threat actors could achieve full device compromise, gain root-level access, and exfiltrate sensitive data.
Analyst insight
As of November 12, there is no evidence of exploitation in the wild, either before or after the Pwn2Own demonstration. However, given the public nature of the demonstration and the severity of the flaw, the risk of opportunistic exploitation remains high, especially for organizations with internet-facing BeeStation devices.
Synology advises users to upgrade to BeeStation OS version 1.3.2-65648 or later. No official mitigations or workarounds were available prior to the release of the patch. For environments where immediate patching is not feasible, Synology recommends isolating BeeStation devices from public networks, enforcing strict access controls, monitoring for anomalous activity, and validating firmware integrity to reduce exposure.
Field Effect’s Security Intelligence team continuously monitors the cyber threat landscape for emerging vulnerabilities like this one. When such threats are detected in a customer’s environment, Field Effect MDR users are promptly notified and encouraged to review the associated AROs for remediation guidance, including patch verification steps.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
.jpg)
.jpg)