Cyber Resilience

CVE-2025-0725

HighPublic PoC

Published: 05 February 2025

Published
05 February 2025
Modified
27 June 2025
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0060 69.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0725 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Netapp Hci Baseboard Management Controller. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 30.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-0725 is a buffer overflow vulnerability in libcurl triggered during automatic gzip decompression of content-encoded HTTP responses when the CURLOPT_ACCEPT_ENCODING option is used together with zlib 1.2.0.3 or older. The root cause is an attacker-controlled integer overflow that leads to improper memory handling, categorized as CWE-120 and carrying a CVSS 3.1 score of 7.3.

An unauthenticated remote attacker can exploit the flaw over the network by returning a malicious HTTP response containing a crafted gzip payload. Successful exploitation can produce limited impacts on confidentiality, integrity, and availability without requiring user interaction or credentials.

Public advisories and patch information are available at https://curl.se/docs/CVE-2025-0725.html, the corresponding JSON record, the referenced HackerOne report, and oss-security mailing list posts from February 2025.

The EPSS probability rose from a low starting value to a peak of 0.0208 on 2026-02-03 before receding, indicating that exploitation interest increased after disclosure.

EU & UK References

Vulnerability details

When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Buffer overflow in libcurl client during HTTP response processing enables remote exploitation for client-side code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-1861Same product class: NAS / storage appliance
CVE-2025-52863Same product class: NAS / storage appliance
CVE-2025-52864Same product class: NAS / storage appliance
CVE-2025-12686Same product class: NAS / storage appliance
CVE-2025-52872Same product class: NAS / storage appliance
CVE-2024-56171Same product: Netapp Solidfire \& Hci Management Node
CVE-2025-27423Same product class: NAS / storage appliance
CVE-2020-37024Shared CWE-120
CVE-2025-25565Shared CWE-120
CVE-2020-37050Shared CWE-120

Affected Assets

netapp
hci baseboard management controller
all versions
netapp
hci h610s firmware
all versions
netapp
hci h610c firmware
all versions
netapp
hci h615c firmware
all versions
netapp
solidfire \& hci management node
all versions
netapp
solidfire \& hci storage node
all versions
haxx
curl
7.10.5 — 8.12.0
haxx
libcurl
7.10.5 — 8.12.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification, reporting, and correction of flaws like the libcurl buffer overflow from integer overflow in gzip decompression with old zlib versions.

preventdetect

RA-5 mandates vulnerability scanning to identify systems running vulnerable libcurl configurations with zlib 1.2.0.3 or older.

prevent

SI-16 implements memory protections such as ASLR and DEP that mitigate exploitation of the buffer overflow even if the vulnerable libcurl code executes.

References