CVE-2025-1674

High

Published: 25 February 2025

Published

25 February 2025

Modified

28 February 2025

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

EPSS Score 0.0029 52.8th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1674 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Zephyrproject Zephyr. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of information inputs at system entry points, addressing the lack of input validation that enables out-of-bounds reads from malicious or malformed packets.

SI-16 Memory Protection good match

prevent

Implements memory protection mechanisms that prevent unauthorized out-of-bounds memory reads, mitigating the exploitation vector of this vulnerability.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and correction of system flaws such as this input validation vulnerability, enabling patching to eliminate out-of-bounds reads.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Remote network exploitation of input validation flaw in protocol handler enables T1190 for initial access or impact (DoS/info disclosure).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A lack of input validation allows for out of bounds reads caused by malicious or malformed packets.

Deeper analysisAI

CVE-2025-1674 is a vulnerability in the Zephyr RTOS stemming from a lack of input validation, which enables out-of-bounds reads triggered by malicious or malformed packets. Classified under CWE-125 (Out-of-bounds Read), it carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H) and was published on 2025-02-25T08:15:29.887.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation results in limited confidentiality impact, such as partial information disclosure, alongside high availability impact, potentially causing denial-of-service conditions through system crashes induced by the out-of-bounds reads.

The Zephyr project has published a security advisory at https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-x975-8pgf-qh66, which security practitioners should review for details on mitigation strategies and available patches.