Cyber Resilience

CVE-2025-68615

CriticalPublic PoC

Published: 23 December 2025

Published
23 December 2025
Modified
19 February 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4269 98.5th percentile
Risk Priority 45 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-68615 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Net-Snmp Net-Snmp. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-68615 is a buffer overflow vulnerability (CWE-119) affecting the net-snmp snmptrapd daemon in versions prior to 5.9.5 and 5.10.pre2. net-snmp is an SNMP application library, tools, and daemon. The flaw is triggered by a specially crafted packet sent to the daemon, resulting in a buffer overflow that causes the daemon to crash. Published on 2025-12-23, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction. By sending a malicious packet to an exposed snmptrapd instance, the attacker can trigger the buffer overflow, leading to high impacts on confidentiality, integrity, and availability, including denial of service via daemon crash and potential for greater compromise such as code execution.

The vulnerability has been addressed in net-snmp versions 5.9.5 and 5.10.pre2. Official advisories detail the patch on the net-snmp GitHub security page (GHSA-4389-rwqf-q9gq), oss-security mailing list (2026/01/09/2), and Debian LTS announce (2026/01/msg00000.html). Vicarius provides supplementary resources including a detection script and mitigation script for affected systems.

EU & UK References

Vulnerability details

net-snmp is a SNMP application library, tools and daemon. Prior to versions 5.9.5 and 5.10.pre2, a specially crafted packet to an net-snmp snmptrapd daemon can cause a buffer overflow and the daemon to crash. This issue has been patched in…

more

versions 5.9.5 and 5.10.pre2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated buffer overflow in exposed snmptrapd daemon via crafted SNMP trap packets enables exploitation of a public-facing network service (T1190, T1210), leading to DoS crash with potential RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-62799Same product: Debian Debian Linux
CVE-2025-2521Shared CWE-119
CVE-2026-24061Same product: Debian Debian Linux
CVE-2025-0838Same product: Debian Debian Linux
CVE-2025-68670Same product: Debian Debian Linux
CVE-2024-46981Same product: Debian Debian Linux
CVE-2025-8831Shared CWE-119
CVE-2025-33076Shared CWE-119
CVE-2025-7416Shared CWE-119
CVE-2025-14994Shared CWE-119

Affected Assets

net-snmp
net-snmp
5.10 · ≤ 5.9.5
debian
debian linux
11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the buffer overflow vulnerability in net-snmp snmptrapd by requiring timely patching to versions 5.9.5 or 5.10.pre2.

prevent

Prevents specially crafted SNMP trap packets from reaching the vulnerable snmptrapd daemon through boundary protection mechanisms like firewalls restricting UDP port 162 access.

prevent

Mandates validation of incoming SNMP trap packet inputs to block malformed data that triggers the buffer overflow in snmptrapd.

References