Cyber Resilience

CVE-2025-24356

Medium

Published: 27 January 2025

Published
27 January 2025
Modified
27 August 2025
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0041 61.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24356 is a medium-severity Amplification (CWE-405) vulnerability in Fastd Project Fastd. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Reflection Amplification (T1498.002); ranked in the top 38.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-24356 affects fastd, a VPN daemon that tunnels IP packets and Ethernet frames over UDP. The vulnerability stems from the "fast reconnect" feature, which responds to a data packet from an unknown IP address/port combination by assuming a peer has changed addresses and sending a handshake packet to reestablish the connection. A minimal 1-byte UDP packet containing only the fastd packet type header triggers a much larger ~150-byte UDP payload handshake response, resulting in an amplification factor of roughly 12-13 when including IPv4 and UDP headers. Versions of fastd prior to v23 are vulnerable.

Attackers can exploit this remotely over the network with no privileges or user interaction required by sending spoofed data packets to internet-exposed fastd instances. The targeted fastd server will reflect amplified UDP traffic to the spoofed source IP, enabling Distributed Denial of Service (DDoS) attacks that leverage the amplification for volumetric flooding.

The vulnerability is addressed in fastd v23 through multiple commits on the project's GitHub repository, including changes to prevent the amplification response. Security practitioners should upgrade to v23 or later to mitigate the issue.

EU & UK References

Vulnerability details

fastd is a VPN daemon which tunnels IP packets and Ethernet frames over UDP. When receiving a data packet from an unknown IP address/port combination, fastd will assume that one of its connected peers has moved to a new address…

more

and initiate a reconnect by sending a handshake packet. This "fast reconnect" avoids having to wait for a session timeout (up to ~90s) until a new connection is established. Even a 1-byte UDP packet just containing the fastd packet type header can trigger a much larger handshake packet (~150 bytes of UDP payload). Including IPv4 and UDP headers, the resulting amplification factor is roughly 12-13. By sending data packets with a spoofed source address to fastd instances reachable on the internet, this amplification of UDP traffic might be used to facilitate a Distributed Denial of Service attack. This vulnerability is fixed in v23.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1498.002 Reflection Amplification Impact
Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target.
Why these techniques?

The vulnerability enables reflection amplification by responding to small spoofed UDP packets with larger handshake responses, directly facilitating volumetric DDoS attacks via T1498.002.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-30204Shared CWE-405
CVE-2025-53633Shared CWE-405
CVE-2024-11187Shared CWE-405
CVE-2026-25611Shared CWE-405
CVE-2026-22774Shared CWE-405
CVE-2026-0485Shared CWE-405
CVE-2026-22775Shared CWE-405
CVE-2024-55628Shared CWE-405
CVE-2026-44296Shared CWE-405

Affected Assets

fastd project
fastd
≤ 23.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly mitigates the vulnerability by requiring upgrade to fastd v23, which fixes the amplification response to unknown IP/port packets.

preventdetect

Denial-of-service protection limits the effects of amplification-based DDoS attacks triggered by spoofed UDP packets to fastd.

preventdetect

Boundary protection enables monitoring and control of external UDP communications to block or rate-limit spoofed packets targeting fastd instances.

References