CVE-2025-12686: Critical vulnerability in Synology BeeStation (CVSS 9.8)
A critical security vulnerability with the identifier CVE-2025-12686 and a CVSS score of 9.8 concerns the Synology BeeStation. It allows attackers to remotely execute arbitrary code without authentication and take over the devices completely. The vulnerability was demonstrated by security researchers from Synacktiv as part of the Pwn2Own competition in October 2025.
Synology was already affected by a similar incident in November 2024: The zero-click RCE vulnerability known as CVE-2024-10443 („RISK:STATION“) allowed unauthenticated attackers root access to BeeStation and DiskStation devices - also demonstrated at Pwn2Own Ireland. This is the second consecutive critical Pwn2Own finding with the same vendor and highlights the structural vendor risk Synology products present in third-party risk management. Source: SecurityAffairs [https://securityaffairs.com/170602/hacking/synology-fixed-critical-bug-in-diskstation-and-beephotos-nas.html]
Technical details of the vulnerability
The gap is a classic buffer overflow (CWE-120, Buffer copy without checking size of input). The vulnerability is located within the auth method of the AdminCenter authentication endpoint (SYNO.BEE.AdminCenter.Auth). An attacker can deliberately provoke the memory overflow by sending a specially prepared network request in which the auth-info parameter is filled with a manipulated, oversized character string. As the affected web services run on the devices with privileged rights by default, this enables the execution of arbitrary code with root rights directly on the system. No user interaction is required for a successful attack (zero-click). The Zero Day Initiative (ZDI) documented the vulnerability under the IDs ZDI-CAN-28275 and ZDI-25-1039. The researchers from Synacktiv received prize money of 40,000 US dollars for their demonstration.
The technical analysis published by Synacktiv shows that the vulnerability not only affects the original Synology BeeStation, but can also be used or exploited on the newer BeeStation Plus. This means that both older and current models of the product series are affected. The following software versions are affected:
Synology BeeStation Manager (BSM): All versions before 1.3.2-65648
Synology BeeStation OS: Versions 1.0.x, 1.1.x, 1.2.x and 1.3.x before 1.3.2-65648
A successful attack enables the device to be completely compromised. Attackers can access, manipulate or exfiltrate stored data. The compromised system can also serve as a starting point for further attacks on the internal company network.
Recommended countermeasures
Synology already published on October 30, 2025 a Security update (Synology_SA_25_12), which closes the vulnerability. The public announcement in the Security Advisory was made on November 10, 2025. Installing the patch is the only reliable measure for protection.
Primary measure:
Perform update: Administrators must ensure that their systems are updated to version 1.3.2-65648 or a newer version can be updated. The update is provided via the integrated function of the BeeStation Manager (BSM).
Temporary measures (if an immediate update is not possible):
Isolate systems: Affected BeeStation devices should be disconnected from the public Internet.
Restrict access: Access to the management interface should be restricted to a minimum of trusted IP addresses or network segments.
In the long term, it is essential to establish continuous vulnerability monitoring and subscribe to security alerts from relevant manufacturers.
For companies in the EU and the DACH region, the following applies: If a BeeStation instance is compromised and personal data is affected, there is an obligation to notify the competent data protection authority within 72 hours in accordance with GDPR Art. 33. Operators who fall under NIS-2 are also obliged to secure and report immediately. The BSI generally recommends patching NAS devices with Internet exposure immediately and not making their management interfaces directly accessible from the Internet.
Managing external attack surfaces and supplier risks
The vulnerability in the Synology BeeStation underlines the importance of continuous monitoring of the external attack surface. Devices such as these are often used in branch offices or for specific projects and fall out of sight of central IT management (shadow IT). Since the BeeStation has a management interface that can be accessed from the Internet, it poses a direct risk.
An External Attack Surface Management (EASM) solution such as LocateRisk automatically identifies such externally accessible systems by monitoring an organization's DNS records and IP ranges. This makes it possible to see where a vulnerable BeeStation instance is being operated, even if it is missing from the internal asset database - a classic shadow IT finding that is not captured by purely internal inventories. In parallel, Continuous Vendor Risk Management (C-VRM) evaluates the security of manufacturers such as Synology over time. Repeated critical vulnerabilities with the same vendor - such as the Pwn2Own findings in 2024 and 2025 - are included in the risk assessment and can trigger corresponding escalation processes in vendor management. LocateRisk operates its platform in Germany and supports companies in fulfilling GDPR requirements as part of their risk management.
CVE-2025-12686 is a critical vulnerability (CVSS 9.8) in Synology BeeStation Manager (BSM) and BeeStation OS. It relies on a classic buffer overflow (CWE-120) in the AdminCenter authentication endpoint and allows unauthenticated attackers to execute arbitrary code on the affected device over the network without requiring user interaction.
Affected are Synology BeeStation OS versions 1.0.x, 1.1.x, 1.2.x and 1.3.x before 1.3.2-65648, and Synology BeeStation Manager (BSM) in all versions 1.3.2-65648. The patch is available in version 1.3.2-65648 which Synology published on October 30, 2025.
The most important measure is the immediate update to BeeStation OS or BSM version 1.3.2-65648 or newer via the integrated update function of the BeeStation Manager. If an immediate update is not possible, the affected device should be isolated from the public Internet and access to the management interface should be restricted to trusted IP addresses. The official Synology Security Advisory is available at Synology_SA_25_12 available.
Request your personal Live-Demo now
Identify and reduce your cyber risks through a comparable and understandable overview of your IT security. Let our experts advise you and find out how LocateRisk can help you solve your cyber risks.
Want to find out more, book a demo or simply exchange ideas? We look forward to hearing from you!
We use cookies to optimize our website and our service.
Functional
Always active
Technical storage or access is strictly necessary for the lawful purpose of enabling the use of a particular service expressly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a message over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that have not been requested by the subscriber or user.
Statistics
The technical storage or access, which is carried out exclusively for statistical purposes.Technical storage or access used solely for anonymous statistical purposes. Without a subpoena, the voluntary consent of your Internet service provider, or additional records from third parties, information stored or accessed for this purpose alone generally cannot be used to identify you.
Marketing
Technical storage or access is necessary to create user profiles, to send advertisements, or to track the user on a website or across multiple websites for similar marketing purposes.
English 
Deutsch 
Français