Cyber Resilience

CVE-2025-69276

Low

Published: 12 January 2026

Published
12 January 2026
Modified
14 January 2026
KEV Added
Patch
CVSS Score v4 2.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0026 16.8th percentile
Risk Priority 15 floored blend · peak EPSS

Summary

CVE-2025-69276 is a low-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Broadcom Dx Netops Spectrum. Its CVSS base score is 2.3 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 16.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-69276 is a Deserialization of Untrusted Data vulnerability (CWE-502) in Broadcom DX NetOps Spectrum on Windows and Linux platforms. The flaw allows Object Injection and affects DX NetOps Spectrum versions 24.3.13 and earlier. Published on 2026-01-12, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to network accessibility and potential for significant impacts.

Attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), allowing object injection that could lead to arbitrary code execution or other severe compromises within the affected Spectrum instance.

The Broadcom security advisory at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 provides details on mitigation strategies and available patches.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Deserialization of Untrusted Data vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Object Injection.This issue affects DX NetOps Spectrum: 24.3.13 and earlier.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Deserialization vulnerability enables low-privileged remote attackers to perform object injection leading to arbitrary code execution, directly facilitating Exploitation of Remote Services (T1210) and Exploitation for Privilege Escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-69274Same product: Broadcom Dx Netops Spectrum
CVE-2025-69270Same product: Broadcom Dx Netops Spectrum
CVE-2025-69272Same product: Broadcom Dx Netops Spectrum
CVE-2025-69271Same product: Broadcom Dx Netops Spectrum
CVE-2025-69269Same product: Broadcom Dx Netops Spectrum
CVE-2025-69273Same product: Broadcom Dx Netops Spectrum
CVE-2025-23303Same product: Linux Linux Kernel
CVE-2026-33518Same product: Linux Linux Kernel
CVE-2026-23193Same product: Linux Linux Kernel
CVE-2026-31432Same product: Linux Linux Kernel

Affected Assets

broadcom
dx netops spectrum
≤ 25.4.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the deserialization of untrusted data vulnerability by applying vendor-provided patches for affected DX NetOps Spectrum versions.

prevent

Validates untrusted input data prior to deserialization to prevent object injection attacks exploiting CWE-502.

prevent

Provides memory protections such as DEP and ASLR to mitigate exploitation consequences like arbitrary code execution from deserialization flaws.

References