Synology has launched an pressing safety replace addressing a crucial distant code execution vulnerability in BeeStation OS that permits unauthenticated attackers to execute arbitrary code on affected gadgets.
The vulnerability, tracked as CVE-2025-12686 and recognized by ZDI-CAN-28275, carries a crucial CVSS3 base rating of 9.8, reflecting its extreme affect and exploitability.
The flaw stems from a basic buffer overflow vulnerability (CWE-120) in BeeStation OS, making it uncovered to network-based assaults with out requiring authentication or consumer interplay.
Synology BeeStation 0-Day Vulnerability
The buffer overflow situation in BeeStation OS permits distant attackers to craft malicious inputs that overflow reminiscence buffers, doubtlessly main to finish system compromise.
With a CVSS3 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A: H, the vulnerability demonstrates low assault complexity, community accessibility, and no privilege or consumer interplay necessities.
CVE IDVulnerability NameSeverityCVSS3 Base ScoreCVSS3 VectorCVE-2025-12686Buffer Overflow in BeeStation OSCritical9.8AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
This mixture makes the flaw slight exploitable in real-world situations. At present, there isn’t a out there mitigation technique, making rapid patching the one viable protection.
Affected Merchandise and Patches
Synology has launched safety updates for all affected BeeStation OS variations:
ProductUpdate ToBeeStation OS 1.01.3.2-65648+BeeStation OS 1.11.3.2-65648+BeeStation OS 1.21.3.2-65648+BeeStation OS 1.31.3.2-65648+
Organizations and customers with BeeStation gadgets ought to prioritize firmware updates instantly. Nature of this vulnerability, mixed with the absence of workarounds, necessitates pressing motion to forestall potential exploitation by risk actors.
Given the convenience of exploitation and distant accessibility, delaying patches exposes programs to vital threat. Synology researchers demonstrated the potential for exploitation by means of the Zero Day Initiative program. This collaborative disclosure ensures well timed patching whereas defending customers from lively exploitation.
BeeStation customers are to verify their system variations and apply the advisable updates at once to get rid of this distant code execution risk.
Observe us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to characteristic your tales.
