Pwn2Own: Pivoting from WAN to LAN to Attack a Synology BC500 IP Camera, Part 2

Claroty Team82 documented a detailed WAN-to-LAN exploitation chain used during Pwn2Own 2023 that included a stack-buffer-overflow vulnerability in the Synology BC500 camera's JSON parsing (libjansson) enabling unauthenticated remote code execution. The report explains the root cause (unsafe sscanf usage), missing binary mitigations in the library (no stack canaries), ASLR entropy, exploit construction (heap spraying, address brute-forcing, UTF-8 encoding tricks), successful remote shell acquisition, and notes that Synology released firmware fixes (1.0.7-0298).