CVE-2025-0650
Published: 23 January 2025
Summary
CVE-2025-0650 is a high-severity Improper Access Control (CWE-284) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, ranked at the 32.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-4 (Information Flow Enforcement).
Deeper analysis
A flaw in Open Virtual Network (OVN) allows specially crafted UDP packets to bypass egress access control lists when a logical switch is configured with DNS records and any egress ACLs. The issue affects OVN installations meeting these configuration conditions and can result in unauthorized network access to virtual machines and containers attached to the affected switch. The vulnerability carries a CVSS 3.1 score of 8.1 and is categorized under CWE-284.
An unauthenticated attacker with network access can exploit the flaw by sending crafted UDP packets that evade intended egress filtering. Successful exploitation grants the ability to reach otherwise protected workloads on the OVN overlay, bypassing the access controls that administrators have defined.
Red Hat has published errata RHSA-2025:1083 through RHSA-2025:1087 that address the issue; organizations should apply the updates referenced in these advisories to restore proper ACL enforcement.
The EPSS score rose from a low baseline to a peak of 0.0130 on 2025-12-11 before receding, indicating a clear increase in exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-1804
Vulnerability details
A flaw was found in the Open Virtual Network (OVN). Specially crafted UDP packets may bypass egress access control lists (ACLs) in OVN installations configured with a logical switch with DNS records set on it and if the same switch…
more
has any egress ACLs configured. This issue can lead to unauthorized access to virtual machines and containers running on the OVN network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely remediation of identified flaws, such as applying Red Hat patches for the OVN ACL bypass in CVE-2025-0650.
Monitors and controls communications at external boundaries to block or detect specially crafted UDP packets attempting to bypass OVN egress ACLs.
Enforces approved information flow control policies, addressing the improper access control in OVN logical switch egress ACLs exploited by this CVE.