CVE-2025-29311

High

Published: 24 March 2025

Published

24 March 2025

Modified

01 April 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0024 46.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-29311 is a high-severity Insufficient Entropy (CWE-331) vulnerability in Opennetworking Onos. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by requiring identification, testing, and installation of patches for the limited secret space flaw in ONOS v2.7.0.

SC-12 Cryptographic Key Establishment and Management good match

prevent

Ensures cryptographic keys used in LLDP packets are established and managed with sufficient entropy to resist brute-force recovery attacks.

SC-7 Boundary Protection partial match

preventdetect

Monitors and controls inbound communications at network boundaries to block or rate-limit crafted LLDP packets from unauthenticated attackers.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1110 Brute Force Credential Access

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote attackers to send crafted LLDP packets for brute-force recovery of the private key due to insufficient entropy, directly enabling T1190 (Exploit Public-Facing Application) for the remote exploit and T1110 (Brute Force) for the key recovery attack; recovered key then facilitates malicious packet generation impacting network data.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Limited secret space in LLDP packets used in onos v2.7.0 allows attackers to obtain the private key via a bruteforce attack. Attackers are able to leverage this vulnerability into creating crafted LLDP packets.

Deeper analysisAI

CVE-2025-29311 is a vulnerability in ONOS version 2.7.0, stemming from a limited secret space in LLDP packets that allows attackers to recover the private key via brute-force attacks. This issue, classified under CWE-331 (Insufficient Entropy), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its high confidentiality impact due to network-based exploitation without authentication or user interaction.

Unauthenticated remote attackers can exploit this vulnerability by sending crafted LLDP packets to brute-force the constrained secret space, enabling recovery of the private key. With the key obtained, attackers can generate additional malicious LLDP packets, potentially compromising sensitive network discovery and configuration data processed by the affected ONOS instance.

For mitigation guidance, refer to the advisory at https://gist.github.com/Saber-Berserker/790f2a75ae482df3fd0fce569f30504a.