CVE-2025-66216
Published: 29 November 2025
Summary
CVE-2025-66216 is a critical-severity Incorrect Calculation of Buffer Size (CWE-131) vulnerability in Aiscatcher Ais-Catcher. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation, directly addressing this heap buffer overflow by mandating upgrades to the patched AIS-catcher version 0.64.
SI-16 enforces memory protection mechanisms like ASLR and DEP that comprehensively mitigate heap buffer overflow exploits allowing arbitrary code execution.
SI-10 mandates input validation to restrict malformed AIS messages, addressing the improper buffer size calculation stemming from CWE-131 and CWE-787.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow enables remote unauthenticated arbitrary code execution in network-accessible AIS receiver software, directly facilitating T1190: Exploit Public-Facing Application.
NVD Description
AIS-catcher is a multi-platform AIS receiver. Prior to version 0.64, a heap buffer overflow vulnerability has been identified in the AIS::Message class of AIS-catcher. This vulnerability allows an attacker to write approximately 1KB of arbitrary data into a 128-byte buffer.…
more
This issue has been patched in version 0.64.
Deeper analysisAI
CVE-2025-66216 is a heap buffer overflow vulnerability in the AIS::Message class of AIS-catcher, an open-source multi-platform AIS receiver software. Affecting versions prior to 0.64, the flaw enables an attacker to write approximately 1KB of arbitrary data into a 128-byte buffer, stemming from improper handling of input sizes as indicated by associated CWEs-131 (Incorrect Calculation of Buffer Size) and CWE-787 (Out-of-bounds Write). The vulnerability carries a CVSS v3.1 base score of 9.8, reflecting its critical severity due to network accessibility, low attack complexity, and no requirements for privileges or user interaction.
The vulnerability can be exploited remotely by unauthenticated attackers over the network with minimal prerequisites. Successful exploitation allows arbitrary code execution, data corruption, or denial of service by overwriting heap memory beyond the intended buffer boundaries, potentially compromising the AIS-catcher's functionality in receiving and processing Automatic Identification System (AIS) maritime data transmissions.
Mitigation is available through upgrading to AIS-catcher version 0.64, where the issue has been addressed via a specific commit. Official guidance is provided in the project's GitHub security advisory (GHSA-v53x-f5hh-g2g6) and the corresponding patch commit, recommending users review and apply the update promptly to prevent exploitation.
Details
- CWE(s)