Cyber Resilience

CVE-2025-3714

Critical

Published: 09 May 2025

Published
09 May 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0138 80.7th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-3714 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Org (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, ranked in the top 19.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The LCD KVM over IP Switch CL5708IM contains a stack-based buffer overflow vulnerability, tracked as CVE-2025-3714 and assigned CWE-121, in all firmware versions prior to v2.2.215. The flaw resides in the network-facing components of the device and carries a CVSS 4.0 score of 9.3, reflecting network attack vector, low complexity, and no required authentication or user interaction.

Unauthenticated remote attackers can send specially crafted network packets to trigger the overflow, resulting in arbitrary code execution on the affected KVM switch. Successful exploitation grants the attacker full control over the device, including the ability to manipulate connected systems or pivot further into the target environment.

Taiwan's CERT advisories direct administrators to upgrade the CL5708IM firmware to version 2.2.215 or later; the referenced bulletins at twcert.org.tw provide the official remediation guidance and affected product details.

The associated EPSS score remains low and unchanged at 0.0138, indicating no material increase in observed exploitation interest since disclosure.

EU & UK References

Vulnerability details

The LCD KVM over IP Switch CL5708IM has a Stack-based Buffer Overflow vulnerability in firmware versions prior to v2.2.215, allowing unauthenticated remote attackers to exploit this vulnerability to execute arbitrary code on the device.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Org
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References