CVE-2025-25374
Published: 25 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-25374 is a denial-of-service vulnerability in NASA's Core Flight System (cFS) Aquila version, where it is possible to place the onboard software into a state that prevents the launch of any external applications. This issue, linked to CWE-400 (Uncontrolled Resource Consumption), carries a CVSS v3.1 base score of 7.5, reflecting high-impact availability disruption with no confidentiality or integrity effects.
The vulnerability can be exploited remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and without scope change (S:U). An unauthenticated attacker with network access to the affected cFS Aquila system can trigger the condition, resulting in a platform-wide denial of service by blocking all external application launches and halting normal onboard software operations.
Mitigation details and further assessment are available in the advisory published by Vision Space at https://visionspace.com/nasa-cfs-version-aquila-software-vulnerability-assessment/. Security practitioners should consult this reference for patching guidance or workarounds specific to cFS Aquila deployments.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a remote unauthenticated DoS via resource consumption (CWE-400) that prevents external application launches and halts system operations, directly enabling T1499.004 Application or System Exploitation.