[ZDI-25-1039|CVE-2025-12686] (Pwn2Own) Synology BeeStation Plus auth_info Stack-based Buffer Overflow Remote Code Execution Vulnerability (CVSS 9.8; Credit: @Tek_7987 and @_Anyfun (both working @Synacktiv))

At #Pwn2Own2025, our experts @Tek_7987 & @_Anyfun remotely compromised a Synology Beestation Plus via a pre-auth exploit, leading to full system takeover. The vuln is now tracked as CVE-2025-12686 🔍 🔗 Full write-up:

A big shout-out to the @Synacktiv team for their strong performance at the latest #Pwn2Own competition in Cork! They proudly secured third place overall 👏 Next stop: Tokyo for the upcoming edition 🇯🇵 👀 More details on the targets and participants here ℹ️

Congrats to @Tek_7987 and @_Anyfun for landing the first successful entry at #Pwn2OwnCork - exploiting a stack overflow on @Synology BeeStation Plus for $40,000 and 4 Master of Pwn points in the process 💥 Let’s keep pushing 💪 #P2OIreland #Synacktiv

Awesome!

Let’s go!

Userland iOS aficionados, I released a simple IDA plugin that should improve your Objective-C experience. For now it removes ARC function calls in decompiled code (eg objc_retain) and helps listing candidate callers to a method. Check it out at

Gunshots pierce the night as a Tesla speeds away... lead the hunt for a covert criminal group in this year's @sstic challenge! We worked hard to design unique and thrilling puzzles. Join the chase starting today 16:00 GMT+1 at https://t.co/sKCakn6vXX !

Take the time to read our new #PluginFocus article. In this blog post, Arnaud Gatignol (@_anyfun) and Julien Staszewski (@_0perator) from the @thalium_team introduce ida kmdf, a tool that helps with your KMDF driver analysis. Read more 🌐 https://t.co/X7OFto3GI4 #idapro

Pensée pour Florent, Romain, Tristan, Baptiste, Guillaume et l’inévitable Valentino, tous restés au bercail en nous confiant un joli petit exploit.

Just leaving Toronto and pwn2own! What a blast we've had with Maxime T. Very good collective work @thalium_team https://t.co/WXw8ZryycS

2023 Linux Kernel RCEs by @guteissier and @laomaiweng now #OffensiveCon23

As a treat before next week's talk at OffensiveCon by Guillaume & Quentin, here is an introduction to our recent findings on KSMBD. Enjoy, and see you in Berlin to all #OffensiveCon23 attendees! @offensive_con https://t.co/jKsnK71RKU

🛰️@esa has organised an unprecedented takeover of a demonstration satellite. The @thalesgroup's offensive #cybersecurity team took up the challenge by identifying vulnerabilities that could disrupt the operation of #ESA's satellite. #CYSAT https://t.co/V0i88knbXZ

Abusing Linux In-Kernel SMB Server to Gain Kernel Remote Code Execution by @guteissier and @laomaiweng https://t.co/3Jcbdf19eo

👀👀👀👀👀👀 https://t.co/MBHrL8VoWC

Upcoming batch of vulnerabilites on Linux & Canonical, stay tuned for details ...

Just pushed some homeworks about NT object access tracing through VMI : https://t.co/GZqVYZyjV5 Let me know if you enjoy it :)

WinDBG kd extension to speed up nt object research resolution by @thalium_team : https://t.co/ILxrGO0ts6 #SSTIC

Windows Memory Introspection with IceBox https://t.co/4RPAOo9eOx