CVE-2025-2837
Published: 26 March 2025
Summary
CVE-2025-2837 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Silabs Gecko Os. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 16.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Silicon Labs Gecko OS contains a stack-based buffer overflow vulnerability in its HTTP request handling logic, identified as CVE-2025-2837 and originally reported as ZDI-CAN-23245. The flaw arises from missing validation on the length of attacker-supplied data before it is copied into a fixed-size stack buffer, enabling uncontrolled memory corruption on affected device installations.
Network-adjacent attackers require no authentication or user interaction to trigger the issue and can achieve arbitrary code execution in the context of the Gecko OS process. The vulnerability is rated 8.8 under CVSS 3.0 with an attack vector of adjacent network, low complexity, and full impact on confidentiality, integrity, and availability.
Public advisories from Zero Day Initiative and Silicon Labs are available at the referenced URLs and provide further details on affected versions and remediation steps. The associated EPSS score has remained low, with a current value of 0.0178 and a recorded peak of 0.0283.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8258
Vulnerability details
Silicon Labs Gecko OS HTTP Request Handling Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Silicon Labs Gecko OS. Authentication is not required to exploit this vulnerability. The…
more
specific flaw exists within the handling of HTTP requests. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-23245.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.