CVE-2025-1673
Published: 25 February 2025
Summary
CVE-2025-1673 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Zephyrproject Zephyr. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 38.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Deeper analysis
CVE-2025-1673 is an out-of-bounds read vulnerability (CWE-125) in the Zephyr RTOS. A malicious or malformed DNS packet without a payload can trigger the issue, resulting in a crash that causes denial of service or an incorrect computation. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H) and was published on 2025-02-25T07:15:18.837.
Attackers can exploit this remotely over the network with low attack complexity, requiring no privileges or user interaction. Any unauthenticated remote actor able to send DNS packets to a vulnerable Zephyr instance can trigger the out-of-bounds read, achieving high-impact denial of service via crashes or low-impact integrity violations through incorrect computations, while confidentiality remains unaffected.
The Zephyr Project security advisory provides details on mitigation: https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-jjhx-rrh4-j8mx.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5069
Vulnerability details
A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of service) or an incorrect computation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Malformed DNS packet triggers out-of-bounds read leading to crash/DoS via direct remote exploitation of the network-facing service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the specific out-of-bounds read flaw in Zephyr RTOS DNS packet processing triggered by malformed packets.
Validates incoming DNS packets from external sources to reject malformed inputs without payloads that cause the out-of-bounds read.
Ensures robust error handling during DNS packet parsing to prevent crashes or incorrect computations from out-of-bounds reads.