CVE-2025-24975
Published: 15 August 2025
Summary
CVE-2025-24975 is a high-severity Improper Check for Unusual or Exceptional Conditions (CWE-754) vulnerability in Firebirdsql Firebird. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).
Deeper analysis
CVE-2025-24975 is a vulnerability in Firebird, an open-source relational database server, affecting versions prior to snapshot builds 4.0.6.3183, 5.0.2.1610, and 6.0.0.609 when the ExtConnPoolSize configuration parameter is not set to 0. The issue stems from external connection pool (ExtConnPool) entries not being verified for the presence and suitability of the CryptCallback interface relative to conditions at creation time. This mismatch can trigger a segmentation fault (segfault) in the server process, particularly during chained execute statements on external connections. Encrypted databases accessed via such statements may subsequently be reachable by attachments lacking the encryption key, enabling unauthorized access, while the segfault can also impact unencrypted databases. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L) and maps to CWE-754 (Improper Check for Unusual or Exceptional Conditions).
A low-privileged user (PR:L) with network access can exploit this over the network (AV:N), though it requires high attack complexity (AC:H) and no user interaction. By issuing execute statements on external connections in a configuration where ExtConnPoolSize exceeds 0, the attacker can induce a server segfault for denial-of-service impact (A:L). Attackers may also gain high confidentiality (C:H) and integrity (I:H) effects by accessing encrypted database contents without the required key via pooled connections reused by unauthorized attachments.
Firebird has patched the vulnerability in snapshot versions 4.0.6.3183, 5.0.2.1610, and 6.0.0.609, as well as point releases 4.0.6 and 5.0.2. A recommended workaround is to set ExtConnPoolSize to 0 in the firebird.conf file. Official advisories, including the fixing commit, issue discussion, and GitHub security advisory, provide further details on the patch and verification steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25030
Vulnerability details
Firebird is a relational database. Prior to snapshot versions 4.0.6.3183, 5.0.2.1610, and 6.0.0.609, Firebird is vulnerable if ExtConnPoolSize is not set equal to 0. If connections stored in ExtConnPool are not verified for presence and suitability of the CryptCallback interface…
more
is used when created versus what is available could result in a segfault in the server process. Encrypted databases, accessed by execute statement on external, may be accessed later by an attachment missing a key to that database. In a case when execute statement are chained, segfault may happen. Additionally, the segfault may affect unencrypted databases. This issue has been patched in snapshot versions 4.0.6.3183, 5.0.2.1610, and 6.0.0.609 and point releases 4.0.6 and 5.0.2. A workaround for this issue involves setting ExtConnPoolSize equal to 0 in firebird.conf.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote network exploit of public-facing DB server enabling unauthorized encrypted data access and segfault DoS due to improper condition checks in connection pooling.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces setting ExtConnPoolSize=0 in firebird.conf to disable the vulnerable external connection pool feature.
Disables non-essential ExtConnPool functionality whose reuse logic triggers the segfault and key-mismatch bypass.
Requires prompt application of the vendor patches (4.0.6/5.0.2+) that correct CryptCallback verification in pooled external connections.