Cyber Resilience

CVE-2025-2837

High

Published: 26 March 2025

Published
26 March 2025
Modified
08 August 2025
KEV Added
Patch
CVSS Score v3 8.8 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0178 83.1th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2837 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Silabs Gecko Os. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 16.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Silicon Labs Gecko OS contains a stack-based buffer overflow vulnerability in its HTTP request handling logic, identified as CVE-2025-2837 and originally reported as ZDI-CAN-23245. The flaw arises from missing validation on the length of attacker-supplied data before it is copied into a fixed-size stack buffer, enabling uncontrolled memory corruption on affected device installations.

Network-adjacent attackers require no authentication or user interaction to trigger the issue and can achieve arbitrary code execution in the context of the Gecko OS process. The vulnerability is rated 8.8 under CVSS 3.0 with an attack vector of adjacent network, low complexity, and full impact on confidentiality, integrity, and availability.

Public advisories from Zero Day Initiative and Silicon Labs are available at the referenced URLs and provide further details on affected versions and remediation steps. The associated EPSS score has remained low, with a current value of 0.0178 and a recorded peak of 0.0283.

EU & UK References

Vulnerability details

Silicon Labs Gecko OS HTTP Request Handling Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Silicon Labs Gecko OS. Authentication is not required to exploit this vulnerability. The…

more

specific flaw exists within the handling of HTTP requests. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-23245.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

silabs
gecko os
1.0.46

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References