Cyber Posture

CVE-2025-1673

High

Published: 25 February 2025

Published
25 February 2025
Modified
28 February 2025
KEV Added
Patch
CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.0040 60.9th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1673 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Zephyrproject Zephyr. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 39.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the specific out-of-bounds read flaw in Zephyr RTOS DNS packet processing triggered by malformed packets.

SI-10 Information Input Validation good match
prevent

Validates incoming DNS packets from external sources to reject malformed inputs without payloads that cause the out-of-bounds read.

SI-11 Error Handling good match
prevent

Ensures robust error handling during DNS packet parsing to prevent crashes or incorrect computations from out-of-bounds reads.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Malformed DNS packet triggers out-of-bounds read leading to crash/DoS via direct remote exploitation of the network-facing service.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of service) or an incorrect computation.

Deeper analysisAI

CVE-2025-1673 is an out-of-bounds read vulnerability (CWE-125) in the Zephyr RTOS. A malicious or malformed DNS packet without a payload can trigger the issue, resulting in a crash that causes denial of service or an incorrect computation. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H) and was published on 2025-02-25T07:15:18.837.

Attackers can exploit this remotely over the network with low attack complexity, requiring no privileges or user interaction. Any unauthenticated remote actor able to send DNS packets to a vulnerable Zephyr instance can trigger the out-of-bounds read, achieving high-impact denial of service via crashes or low-impact integrity violations through incorrect computations, while confidentiality remains unaffected.

The Zephyr Project security advisory provides details on mitigation: https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-jjhx-rrh4-j8mx.

Details

CWE(s)
CWE-125

Affected Products

zephyrproject
zephyr
≤ 4.0

CVEs Like This One

CVE-2025-1674Same product: Zephyrproject Zephyr
CVE-2025-1675Same product: Zephyrproject Zephyr
CVE-2026-1679Same product: Zephyrproject Zephyr
CVE-2024-10395Same product: Zephyrproject Zephyr
CVE-2026-1678Same product: Zephyrproject Zephyr
CVE-2025-0612Shared CWE-125
CVE-2026-25942Shared CWE-125
CVE-2026-25627Shared CWE-125
CVE-2026-3631Shared CWE-125
CVE-2024-50600Shared CWE-125

References