Cyber Resilience

CVE-2025-0650

High

Published: 23 January 2025

Published
23 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0013 32.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0650 is a high-severity Improper Access Control (CWE-284) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, ranked at the 32.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-4 (Information Flow Enforcement).

Deeper analysis

A flaw in Open Virtual Network (OVN) allows specially crafted UDP packets to bypass egress access control lists when a logical switch is configured with DNS records and any egress ACLs. The issue affects OVN installations meeting these configuration conditions and can result in unauthorized network access to virtual machines and containers attached to the affected switch. The vulnerability carries a CVSS 3.1 score of 8.1 and is categorized under CWE-284.

An unauthenticated attacker with network access can exploit the flaw by sending crafted UDP packets that evade intended egress filtering. Successful exploitation grants the ability to reach otherwise protected workloads on the OVN overlay, bypassing the access controls that administrators have defined.

Red Hat has published errata RHSA-2025:1083 through RHSA-2025:1087 that address the issue; organizations should apply the updates referenced in these advisories to restore proper ACL enforcement.

The EPSS score rose from a low baseline to a peak of 0.0130 on 2025-12-11 before receding, indicating a clear increase in exploitation interest after disclosure.

EU & UK References

Vulnerability details

A flaw was found in the Open Virtual Network (OVN). Specially crafted UDP packets may bypass egress access control lists (ACLs) in OVN installations configured with a logical switch with DNS records set on it and if the same switch…

more

has any egress ACLs configured. This issue can lead to unauthorized access to virtual machines and containers running on the OVN network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-35177Shared CWE-284
CVE-2026-48898Shared CWE-284
CVE-2025-29315Shared CWE-284
CVE-2025-55261Shared CWE-284
CVE-2026-39339Shared CWE-284
CVE-2026-28855Shared CWE-284
CVE-2026-46839Shared CWE-284
CVE-2025-27646Shared CWE-284
CVE-2026-25519Shared CWE-284
CVE-2026-25176Shared CWE-284

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of identified flaws, such as applying Red Hat patches for the OVN ACL bypass in CVE-2025-0650.

preventdetect

Monitors and controls communications at external boundaries to block or detect specially crafted UDP packets attempting to bypass OVN egress ACLs.

prevent

Enforces approved information flow control policies, addressing the improper access control in OVN logical switch egress ACLs exploited by this CVE.

References