CVE-2025-30472

CriticalPublic PoC

Published: 22 March 2025

Published

22 March 2025

Modified

03 November 2025

KEV Added

—

Patch

—

CVSS Score 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0016 36.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30472 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Corosync Corosync. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 36.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Applying updates to Corosync beyond version 3.1.9 directly remediates the stack-based buffer overflow in orf_token_endian_convert triggered by large UDP packets.

SI-10 Information Input Validation good match

prevent

Validating the size and format of incoming UDP packets prevents the large packet from causing the out-of-bounds write in the endian conversion function.

SI-16 Memory Protection good match

prevent

Implementing stack canaries, ASLR, and other memory protections mitigates exploitation of the stack-based buffer overflow even if invalid input reaches the function.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

Stack-based buffer overflow in Corosync's UDP-based totem protocol handler (remote service) directly enables remote code execution via exploitation of remote services.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Corosync through 3.1.9, if encryption is disabled or the attacker knows the encryption key, has a stack-based buffer overflow in orf_token_endian_convert in exec/totemsrp.c via a large UDP packet.

Deeper analysisAI

CVE-2025-30472 is a stack-based buffer overflow vulnerability in the orf_token_endian_convert function located in exec/totemsrp.c of Corosync versions through 3.1.9. The flaw is triggered by a large UDP packet when encryption is disabled or the attacker knows the encryption key. It maps to CWE-121 (Stack-based Buffer Overflow) and CWE-787 (Out-of-bounds Write), with a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), published on 2025-03-22.

A remote network attacker without privileges or user interaction can exploit this vulnerability, though it requires high attack complexity, likely stemming from the encryption prerequisites. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability across the affected scope, potentially resulting in remote code execution.

Advisories point to mitigation via updates beyond Corosync 3.1.9. Key references include the Corosync project site at https://corosync.org, the vulnerable code at https://github.com/corosync/corosync/blob/73ba225cc48ebb1903897c792065cb5e876613b0/exec/totemsrp.c#L4677, GitHub issue #778 at https://github.com/corosync/corosync/issues/778, and a Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2025/09/msg00023.html detailing backported fixes.