Cyber Resilience

CVE-2025-1049

High

Published: 23 April 2025

Published
23 April 2025
Modified
25 August 2025
KEV Added
Patch
CVSS Score v3 8.8 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0072 72.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1049 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Sonos S1. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 27.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability tracked as CVE-2025-1049 is a heap-based buffer overflow in the Sonos Era 300 speaker that permits remote code execution. It arises during processing of ID3 data when the firmware fails to validate the length of attacker-supplied input before copying it into a heap buffer, and it was originally reported as ZDI-CAN-25601. The flaw is reachable by network-adjacent attackers without authentication and results in code execution under the privileges of the anacapa user.

An attacker positioned on the same local network segment can send a crafted ID3 tag to an affected speaker and obtain arbitrary code execution. The CVSS 8.8 vector reflects the combination of adjacent-network access, low attack complexity, and the absence of required credentials or user interaction, allowing an unauthenticated adversary to achieve full control over the device in the context of the anacapa account.

The Zero Day Initiative advisory ZDI-25-224 is the primary public reference for this issue. EPSS for the CVE rose from a low baseline to a recorded peak of 0.0140, indicating increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

Sonos Era 300 Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected Sonos Era 300 speakers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing…

more

of ID3 data. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the anacapa user. Was ZDI-CAN-25601.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sonos
s1
≤ 57.22-61162
sonos
s2
≤ 83.1-61240

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References