Cyber Resilience

CVE-2025-1674

High

Published: 25 February 2025

Published
25 February 2025
Modified
28 February 2025
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
EPSS Score 0.0029 53.2th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1674 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Zephyrproject Zephyr. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-1674 is a vulnerability in the Zephyr RTOS stemming from a lack of input validation, which enables out-of-bounds reads triggered by malicious or malformed packets. Classified under CWE-125 (Out-of-bounds Read), it carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H) and was published on 2025-02-25T08:15:29.887.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation results in limited confidentiality impact, such as partial information disclosure, alongside high availability impact, potentially causing denial-of-service conditions through system crashes induced by the out-of-bounds reads.

The Zephyr project has published a security advisory at https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-x975-8pgf-qh66, which security practitioners should review for details on mitigation strategies and available patches.

EU & UK References

Vulnerability details

A lack of input validation allows for out of bounds reads caused by malicious or malformed packets.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote network exploitation of input validation flaw in protocol handler enables T1190 for initial access or impact (DoS/info disclosure).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-1675Same product: Zephyrproject Zephyr
CVE-2026-1678Same product: Zephyrproject Zephyr
CVE-2025-1673Same product: Zephyrproject Zephyr
CVE-2024-10395Same product: Zephyrproject Zephyr
CVE-2026-1679Same product: Zephyrproject Zephyr
CVE-2025-55100Shared CWE-125
CVE-2025-54950Shared CWE-125
CVE-2026-22855Shared CWE-125
CVE-2026-23455Shared CWE-125
CVE-2026-41415Shared CWE-125

Affected Assets

zephyrproject
zephyr
≤ 4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of information inputs at system entry points, addressing the lack of input validation that enables out-of-bounds reads from malicious or malformed packets.

prevent

Implements memory protection mechanisms that prevent unauthorized out-of-bounds memory reads, mitigating the exploitation vector of this vulnerability.

prevent

Mandates identification, reporting, and correction of system flaws such as this input validation vulnerability, enabling patching to eliminate out-of-bounds reads.

References