Cyber Resilience

CVE-2025-67433

High

Published: 12 February 2026

Published
12 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0006 17.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-67433 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Sourceforge (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-67433 is a heap buffer overflow vulnerability (CWE-122) in the processRequest function of Open TFTP Server MultiThreaded version 1.7. The flaw affects this TFTP server implementation, enabling attackers to trigger a Denial of Service (DoS) condition through a specially crafted DATA packet. Published on 2026-02-12, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its potential for remote disruption.

Any unauthenticated attacker with network access to the vulnerable TFTP server can exploit this issue with low complexity and no user interaction required. By sending a malicious DATA packet, the attacker causes a heap buffer overflow, crashing the server process and rendering the TFTP service unavailable. Exploitation is straightforward over the network, targeting availability without impacting confidentiality or integrity.

Advisories and related details are available via GitHub gists at https://gist.github.com/Hyobin/f1b7d48d29e60a378bb9c88ba8b8080a and https://gist.github.com/transparencybeam/f1b7d48d29e60a378bb9c88ba8b8080a, with the project hosted on SourceForge at https://sourceforge.net/projects/tftp-server/files/tftp%20server%20multithreaded/. Security practitioners should review these for proof-of-concept details and check for updates or patches on the project page.

EU & UK References

Vulnerability details

A heap buffer overflow in the processRequest function of Open TFTP Server MultiThreaded v1.7 allows attackers to cause a Denial of Service (DoS) via a crafted DATA packet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Direct remote exploitation of public-facing TFTP server via crafted packet to trigger application DoS through buffer overflow.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32135Shared CWE-122
CVE-2026-24682Shared CWE-122
CVE-2026-27654Shared CWE-122
CVE-2025-54878Shared CWE-122
CVE-2026-25897Shared CWE-122
CVE-2026-23827Shared CWE-122
CVE-2025-32990Shared CWE-122
CVE-2026-45584Shared CWE-122
CVE-2026-8175Shared CWE-122
CVE-2026-32945Shared CWE-122

Affected Assets

Sourceforge
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of TFTP DATA packet inputs to prevent heap buffer overflows in the processRequest function.

prevent

Implements memory protection mechanisms that directly mitigate heap buffer overflow exploits causing TFTP server crashes.

prevent

Mandates timely remediation of the specific heap buffer overflow flaw in Open TFTP Server MultiThreaded v1.7.

References