Cyber Resilience

CVE-2025-25567

CriticalPublic PoC

Published: 12 March 2025

Published
12 March 2025
Modified
19 July 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0020 42.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25567 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Softether Vpn. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

SoftEther VPN version 5.02.5187 is affected by CVE-2025-25567, a buffer overflow vulnerability in the Internat.c component via the UniToStrForSingleChars function. This issue corresponds to CWE-120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

The vulnerability could theoretically enable remote attackers requiring no privileges or user interaction to compromise confidentiality, integrity, and availability with high impact. However, the supplier disputes this characterization, noting that the behavior only allows a local user to attack themselves through the user interface.

Advisories and additional details are available in the supplier's response at https://filecenter.softether-upload.com/d/250715_001_79538/CVE-2025-25567.pdf and the researcher's page at https://lzydry.github.io/CVE-2025-25567/.

EU & UK References

Vulnerability details

SoftEther VPN 5.02.5187 is vulnerable to Buffer Overflow in Internat.c via the UniToStrForSingleChars function. NOTE: the Supplier disputes this because the behavior only enables a local user to attack himself through the UI,

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Buffer overflow vulnerability in SoftEther VPN (public-facing service) could enable remote unauthenticated code execution for initial access, directly mapping to T1190. Vendor dispute on remote exploitability (claims local UI only) introduces uncertainty in applicability.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-25565Same product: Softether Vpn
CVE-2025-25568Same product: Softether Vpn
CVE-2021-47854Shared CWE-120
CVE-2024-39803Shared CWE-120
CVE-2024-37184Shared CWE-120
CVE-2025-66647Shared CWE-120
CVE-2024-39750Shared CWE-120
CVE-2025-52909Shared CWE-120
CVE-2025-50398Shared CWE-120
CVE-2025-25674Shared CWE-120

Affected Assets

softether
vpn
5.02.5187

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly mitigates the buffer overflow in SoftEther VPN by requiring timely application of vendor patches for CVE-2025-25567.

prevent

Memory protection mechanisms such as stack canaries, ASLR, and DEP prevent exploitation of the buffer overflow vulnerability in UniToStrForSingleChars.

prevent

Information input validation ensures bounds checking on string inputs to functions like UniToStrForSingleChars, addressing the CWE-120 buffer copy without size check.

References