Synology has released an urgent security update addressing a critical remote code execution vulnerability in BeeStation OS that allows unauthenticated attackers to execute arbitrary code on affected devices.
The vulnerability, tracked as CVE-2025-12686 and identified by ZDI-CAN-28275, carries a critical CVSS3 base score of 9.8, reflecting its severe impact and exploitability.
The flaw stems from a classic buffer overflow vulnerability (CWE-120) in BeeStation OS, making it exposed to network-based attacks without requiring authentication or user interaction.
Synology BeeStation 0-Day Vulnerability
The buffer overflow condition in BeeStation OS allows remote attackers to craft malicious inputs that overflow memory buffers, potentially leading to complete system compromise.
With a CVSS3 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A: H, the vulnerability demonstrates low attack complexity, network accessibility, and no privilege or user interaction requirements.
| CVE ID | Vulnerability Name | Severity | CVSS3 Base Score | CVSS3 Vector |
|---|---|---|---|---|
| CVE-2025-12686 | Buffer Overflow in BeeStation OS | Critical | 9.8 | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
This combination makes the flaw slight exploitable in real-world scenarios. Currently, there is no available mitigation strategy, making immediate patching the only viable defense.
Affected Products and Patches
Synology has released security updates for all affected BeeStation OS versions:
| Product | Update To |
|---|---|
| BeeStation OS 1.0 | 1.3.2-65648+ |
| BeeStation OS 1.1 | 1.3.2-65648+ |
| BeeStation OS 1.2 | 1.3.2-65648+ |
| BeeStation OS 1.3 | 1.3.2-65648+ |
Organizations and users with BeeStation devices should prioritize firmware updates immediately. Nature of this vulnerability, combined with the absence of workarounds, necessitates urgent action to prevent potential exploitation by threat actors.
Given the ease of exploitation and remote accessibility, delaying patches exposes systems to significant risk. Synology researchers demonstrated the potential for exploitation through the Zero Day Initiative program. This collaborative disclosure ensures timely patching while protecting users from active exploitation.
BeeStation users are to check their device versions and apply the recommended updates without delay to eliminate this remote code execution threat.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
