Cyber Resilience

CVE-2025-0624

High

Published: 19 February 2025

Published
19 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0066 71.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0624 is a high-severity Out-of-bounds Write (CWE-787) vulnerability. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Bootkit (T1542.003); ranked in the top 28.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-0624 is an out-of-bounds write vulnerability in the GRUB2 bootloader. It occurs during the network boot process when GRUB2 copies data from a user-controlled environment variable into an internal buffer via the grub_strcpy() function without accounting for the variable's length, leading to memory corruption. The flaw is tracked under CWE-787 and carries a CVSS 3.1 score of 7.6.

An attacker positioned on the same network segment as the target system can supply a malicious environment variable while GRUB2 searches for its configuration file. Successful exploitation grants remote code execution, which can be leveraged to bypass Secure Boot protections.

Multiple Red Hat Security Advisories (RHSA-2025:2521, RHSA-2025:2653, RHSA-2025:2655, RHSA-2025:2675, and RHSA-2025:2784) address the issue through updated GRUB2 packages.

EPSS for the CVE rose from a low baseline to a peak of 0.0254 on 2026-02-18 before receding to the current value of 0.0066, indicating a temporary increase in exploitation interest after disclosure.

EU & UK References

Vulnerability details

A flaw was found in grub2. During the network boot process, when trying to search for the configuration file, grub copies data from a user controlled environment variable into an internal buffer using the grub_strcpy() function. During this step, it…

more

fails to consider the environment variable length when allocating the internal buffer, resulting in an out-of-bounds write. If correctly exploited, this issue may result in remote code execution through the same network segment grub is searching for the boot information, which can be used to by-pass secure boot protections.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1542.003 Bootkit Stealth
Adversaries may use bootkits to persist on systems.
Why these techniques?

Out-of-bounds write in GRUB2 network boot enables RCE that can install a bootkit and bypass secure boot (T1542.003).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-45782Shared CWE-787
CVE-2025-1125Shared CWE-787
CVE-2025-25742Shared CWE-787
CVE-2025-21042Shared CWE-787
CVE-2025-27175Shared CWE-787
CVE-2019-25679Shared CWE-787
CVE-2026-0122Shared CWE-787
CVE-2024-54509Shared CWE-787
CVE-2025-1016Shared CWE-787
CVE-2025-30273Shared CWE-787

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely remediation of identified flaws like the grub2 out-of-bounds write via vendor patches such as RHSA-2025:2521.

prevent

Requires validation of the length and content of user-controlled environment variables to prevent buffer overflows during grub2 network boot configuration search.

prevent

Implements memory protection mechanisms such as bounds checking to mitigate out-of-bounds writes in bootloader processes like grub2.

References