Cyber Resilience

CVE-2025-2173

Medium

Published: 11 March 2025

Published
11 March 2025
Modified
03 October 2025
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0028 51.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2173 is a medium-severity Access of Uninitialized Pointer (CWE-824) vulnerability in Zapping-Vbi Zvbi. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-2173 is a vulnerability in the libzvbi library versions up to 0.2.43, classified as problematic due to an uninitialized pointer issue. The flaw affects the vbi_strndup_iconv_ucs2 function in the src/conv.c file, where manipulation of the src_length argument triggers the use of an uninitialized pointer, corresponding to CWEs-824 (Access of Uninitialized Pointer) and CWE-908 (Use of Uninitialized Resource). The vulnerability carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity with low confidentiality impact.

The vulnerability can be exploited remotely by unauthenticated attackers with no privileges required, as it has low attack complexity and no user interaction needed. By crafting input that manipulates the src_length parameter, an attacker can trigger the uninitialized pointer dereference, potentially leading to limited information disclosure. An exploit has been publicly disclosed and may be usable against affected libzvbi instances.

Mitigation is available through upgrading to libzvbi version 0.2.44, which addresses the issue via the patch commit 8def647eea27f7fd7ad33ff79c2d6d3e39948dce. The library maintainer was notified in advance and responded promptly and professionally, with details documented in the GitHub security advisory (GHSA-g7cg-7gw9-v8cf), release notes, and commit history.

EU & UK References

Vulnerability details

A vulnerability was found in libzvbi up to 0.2.43. It has been classified as problematic. Affected is the function vbi_strndup_iconv_ucs2 of the file src/conv.c. The manipulation of the argument src_length leads to uninitialized pointer. It is possible to launch the…

more

attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 0.2.44 is able to address this issue. The patch is identified as 8def647eea27f7fd7ad33ff79c2d6d3e39948dce. It is recommended to upgrade the affected component. The code maintainer was informed beforehand about the issues. She reacted very fast and highly professional.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes remote unauthenticated exploitation with no user interaction required, directly enabling exploitation of a public-facing application (or remote service) using the vulnerable library for limited information disclosure.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-2176Same product: Zapping-Vbi Zvbi
CVE-2025-2174Same product: Zapping-Vbi Zvbi
CVE-2025-2177Same product: Zapping-Vbi Zvbi
CVE-2026-34543Shared CWE-908
CVE-2025-21220Shared CWE-908
CVE-2025-66588Shared CWE-824
CVE-2025-50165Shared CWE-908
CVE-2026-42959Shared CWE-824
CVE-2025-27162Shared CWE-824
CVE-2024-57907Shared CWE-908

Affected Assets

zapping-vbi
zvbi
≤ 0.2.44

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely flaw remediation by upgrading libzvbi to version 0.2.44, eliminating the uninitialized pointer vulnerability.

detect

Vulnerability scanning identifies systems with vulnerable libzvbi versions up to 0.2.43 for prioritization in patching.

prevent

Validates inputs like src_length to block malformed arguments that trigger the uninitialized pointer dereference in vbi_strndup_iconv_ucs2.

References