CVE-2025-24356
Published: 27 January 2025
Summary
CVE-2025-24356 is a high-severity Amplification (CWE-405) vulnerability in Fastd Project Fastd. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Reflection Amplification (T1498.002); ranked in the top 38.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly mitigates the vulnerability by requiring upgrade to fastd v23, which fixes the amplification response to unknown IP/port packets.
Denial-of-service protection limits the effects of amplification-based DDoS attacks triggered by spoofed UDP packets to fastd.
Boundary protection enables monitoring and control of external UDP communications to block or rate-limit spoofed packets targeting fastd instances.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables reflection amplification by responding to small spoofed UDP packets with larger handshake responses, directly facilitating volumetric DDoS attacks via T1498.002.
NVD Description
fastd is a VPN daemon which tunnels IP packets and Ethernet frames over UDP. When receiving a data packet from an unknown IP address/port combination, fastd will assume that one of its connected peers has moved to a new address…
more
and initiate a reconnect by sending a handshake packet. This "fast reconnect" avoids having to wait for a session timeout (up to ~90s) until a new connection is established. Even a 1-byte UDP packet just containing the fastd packet type header can trigger a much larger handshake packet (~150 bytes of UDP payload). Including IPv4 and UDP headers, the resulting amplification factor is roughly 12-13. By sending data packets with a spoofed source address to fastd instances reachable on the internet, this amplification of UDP traffic might be used to facilitate a Distributed Denial of Service attack. This vulnerability is fixed in v23.
Deeper analysisAI
CVE-2025-24356 affects fastd, a VPN daemon that tunnels IP packets and Ethernet frames over UDP. The vulnerability stems from the "fast reconnect" feature, which responds to a data packet from an unknown IP address/port combination by assuming a peer has changed addresses and sending a handshake packet to reestablish the connection. A minimal 1-byte UDP packet containing only the fastd packet type header triggers a much larger ~150-byte UDP payload handshake response, resulting in an amplification factor of roughly 12-13 when including IPv4 and UDP headers. Versions of fastd prior to v23 are vulnerable.
Attackers can exploit this remotely over the network with no privileges or user interaction required by sending spoofed data packets to internet-exposed fastd instances. The targeted fastd server will reflect amplified UDP traffic to the spoofed source IP, enabling Distributed Denial of Service (DDoS) attacks that leverage the amplification for volumetric flooding.
The vulnerability is addressed in fastd v23 through multiple commits on the project's GitHub repository, including changes to prevent the amplification response. Security practitioners should upgrade to v23 or later to mitigate the issue.
Details
- CWE(s)