Cyber Posture

CVE-2025-25567

CriticalPublic PoC

Published: 12 March 2025

Published
12 March 2025
Modified
19 July 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0020 41.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25567 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Softether Vpn. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Flaw remediation directly mitigates the buffer overflow in SoftEther VPN by requiring timely application of vendor patches for CVE-2025-25567.

SI-16 Memory Protection good match
prevent

Memory protection mechanisms such as stack canaries, ASLR, and DEP prevent exploitation of the buffer overflow vulnerability in UniToStrForSingleChars.

SI-10 Information Input Validation partial match
prevent

Information input validation ensures bounds checking on string inputs to functions like UniToStrForSingleChars, addressing the CWE-120 buffer copy without size check.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Buffer overflow vulnerability in SoftEther VPN (public-facing service) could enable remote unauthenticated code execution for initial access, directly mapping to T1190. Vendor dispute on remote exploitability (claims local UI only) introduces uncertainty in applicability.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

NVD Description

SoftEther VPN 5.02.5187 is vulnerable to Buffer Overflow in Internat.c via the UniToStrForSingleChars function. NOTE: the Supplier disputes this because the behavior only enables a local user to attack himself through the UI,

Deeper analysisAI

SoftEther VPN version 5.02.5187 is affected by CVE-2025-25567, a buffer overflow vulnerability in the Internat.c component via the UniToStrForSingleChars function. This issue corresponds to CWE-120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

The vulnerability could theoretically enable remote attackers requiring no privileges or user interaction to compromise confidentiality, integrity, and availability with high impact. However, the supplier disputes this characterization, noting that the behavior only allows a local user to attack themselves through the user interface.

Advisories and additional details are available in the supplier's response at https://filecenter.softether-upload.com/d/250715_001_79538/CVE-2025-25567.pdf and the researcher's page at https://lzydry.github.io/CVE-2025-25567/.

Details

CWE(s)
CWE-120

Affected Products

softether
vpn
5.02.5187

CVEs Like This One

CVE-2025-25565Same product: Softether Vpn
CVE-2025-25568Same product: Softether Vpn
CVE-2024-57482Shared CWE-120
CVE-2024-57479Shared CWE-120
CVE-2025-50670Shared CWE-120
CVE-2025-60554Shared CWE-120
CVE-2025-22916Shared CWE-120
CVE-2025-26004Shared CWE-120
CVE-2025-26007Shared CWE-120
CVE-2025-26006Shared CWE-120

References