Critical RCE Vulnerability in Synology BeeStation Demonstrated at Pwn2Own
Synology addressed a critical remote code execution vulnerability (CVE-2025-12686) in its BeeStation product after the flaw was publicly demonstrated at the Pwn2Own Ireland 2025 competition. The vulnerability, which received a CVSS score of 9.8, stems from improper buffer size checks that allow remote attackers to execute arbitrary code on affected devices. Synology has released patches for all versions of BeeStation OS, urging users to upgrade to version 1.3.2-65648 or later to mitigate the risk.
The flaw was one of several zero-days showcased at Pwn2Own Ireland 2025, where researchers were awarded over $1 million for discovering 73 unique vulnerabilities across a range of consumer and enterprise devices. The event highlighted the ongoing risks posed by zero-day vulnerabilities in widely used storage and smart home products. Other vendors, including QNAP, also issued patches for vulnerabilities revealed during the competition.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Synology patches BeeStation flaw CVE-2025-12686
Synology released a patch for the critical BeeStation remote code execution flaw CVE-2025-12686 after it was shown at Pwn2Own Ireland 2025. The patching action was reported the following day.
Pwn2Own Ireland 2025 reveals Synology BeeStation RCE zero-day
A critical remote code execution vulnerability in Synology BeeStation, later tracked as CVE-2025-12686, was demonstrated at the Pwn2Own Ireland 2025 contest. The supplied reporting identifies it as a zero-day affecting the product.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Synology patches critical BeeStation RCE flaw shown at Pwn2Own Ireland 2025
securityaffairs.com
Open sourceCritical Synology BeeStation Zero-Day (CVE-2025-12686) Found at Pwn2Own Allows Remote Code Execution
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Pwn2Own Ireland 2025 Day Two: Multiple Zero-Day Exploits Demonstrated Across Consumer Devices
Security researchers at Pwn2Own Ireland 2025 demonstrated 56 unique zero-day vulnerabilities across a range of consumer devices on the second day of the competition, earning a total of $792,750 in rewards. Notable exploits included a major Samsung Galaxy S25 compromise by The Summoning Team and Mobile Hacking Lab, who chained five vulnerabilities to achieve their result, as well as successful attacks against QNAP TS-453E, Synology DS925+, Canon imageCLASS MF654Cdw printer, Home Automation Green, and Phillips Hue Bridge. The event featured participation from leading teams and individuals, with The Summoning Team leading the scoreboard after their Samsung Galaxy exploit, and other teams such as CyCraft, Verichains, and Qrious Secure also earning significant rewards for their discoveries. The competition, sponsored by Meta, Synology, and QNAP, covered eight categories including flagship smartphones, printers, network storage, home networking gear, messaging apps, smart home and surveillance devices, and wearables. Vendors now have 90 days to address the vulnerabilities before public disclosure. Some exploits, such as the Synology BeeStation Plus, were ruled out of scope for the competition. The event highlights the ongoing risks posed by zero-day vulnerabilities in widely used consumer and enterprise devices, emphasizing the importance of coordinated vulnerability disclosure and rapid patching by vendors.
Mar 21, 2026
QNAP Patches Seven Zero-Day Vulnerabilities Exploited at Pwn2Own
QNAP has released security updates to address seven zero-day vulnerabilities in its network-attached storage (NAS) products after these flaws were exploited by security researchers during the Pwn2Own Ireland 2025 competition. The vulnerabilities affected QNAP's QTS and QuTS hero operating systems, as well as key applications including Hyper Data Protector, Malware Remover, and HBS 3 Hybrid Backup Sync. The exploits were demonstrated by teams such as Summoning Team, DEVCORE, Team DDOS, and a CyCraft technology intern, highlighting the critical nature of these security issues. QNAP has provided patched versions for all affected software and strongly recommends that users update to the latest releases and change all passwords to enhance security. The company has published detailed advisories and instructions for updating both the operating systems and vulnerable applications through the QTS or QuTS hero interface. Regular updates and monitoring of product support status are advised to ensure ongoing protection against similar vulnerabilities.
Mar 21, 2026
Pwn2Own Ireland 2025 Day One Exploits and Results
On the first day of Pwn2Own Ireland 2025, security researchers demonstrated the exploitation of 34 unique zero-day vulnerabilities across a wide range of consumer and enterprise devices. The event, organized by Trend Micro's Zero Day Initiative (ZDI), awarded a total of $522,500 in cash prizes to participating teams and individuals for their successful exploits. One of the most notable achievements was by Team DDOS, who chained eight zero-day vulnerabilities to compromise the QNAP Qhora-322 Ethernet wireless router via its WAN interface and subsequently gained access to a QNAP TS-453E NAS device, earning them $100,000 and 8 Master of Pwn points. Multiple teams, including Synacktiv, Summoning Team, DEVCORE, and Rapid7, achieved root-level code execution on devices such as the Synology BeeStation Plus, Synology DiskStation DS925+, QNAP TS-453E, and Home Assistant Green, each receiving $40,000 for their efforts. STARLabs, Team PetoWorks, Team ANHTUD, and Ierae researchers successfully exploited the Canon imageCLASS MF654Cdw multifunction laser printer in four separate attempts, highlighting the device's vulnerability. STARLabs also managed to hack the Sonos Era 300 smart speaker, earning $50,000, while Team ANHTUD exploited the Philips Hue Bridge for a $40,000 reward. The Summoning Team used a two-zero-day exploit chain to gain root on the Synology ActiveProtect Appliance DP320, securing an additional $50,000. By the end of the day, the Summoning Team led the Master of Pwn leaderboard with 11.5 points, closely followed by Team DDOS. The competition featured eight categories, including flagship smartphones, messaging apps, smart home devices, printers, and home networking equipment, with a total prize pool of up to $2,000,000 and a record $1,000,000 single prize for a 0-click WhatsApp exploit. The ZDI coordinates responsible disclosure with affected vendors, granting them 90 days to patch vulnerabilities before public disclosure. The event's schedule included a diverse set of targets and participants, with each attempt carefully timed and monitored. Technical details of the exploits ranged from stack-based and heap-based buffer overflows to complex exploit chains involving multiple zero-days. The competition not only showcased the skills of top security researchers but also contributed to improving the security posture of widely used devices. The responsible disclosure process ensures that vendors are alerted to critical vulnerabilities before they can be weaponized by malicious actors. The first day of Pwn2Own Ireland 2025 underscored the ongoing need for robust security research and proactive vulnerability management in the technology ecosystem. The event's results will drive future security updates and influence best practices across the industry. The high-profile nature of the competition and the significant financial incentives continue to attract elite researchers and teams from around the world.
Apr 19, 2026