CVE-2025-25565
Published: 12 March 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2025-25565 is a buffer overflow vulnerability (CWE-120) affecting SoftEther VPN version 5.02.5187, specifically in the Command.c source file through the PtMakeCert and PtMakeCert2048 functions. Published on 2025-03-12, it has been assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with potential for high impacts on confidentiality, integrity, and availability.
The vulnerability can be triggered by providing overly long input strings to the affected functions, leading to a buffer overflow. While the CVSS vector suggests network-accessible exploitation without privileges or user interaction, the supplier disputes its validity as a remotely exploitable issue, asserting that it only enables a local user to attack themselves by entering a long string directly on the command line.
Advisories referenced in the CVE include a supplier statement at https://filecenter.softether-upload.com/d/250715_001_79538/CVE-2025-25565.pdf and researcher details at https://lzydry.github.io/CVE-2025-25565/, which highlight the disputed self-affecting nature but do not specify patches or mitigations beyond the supplier's position that it does not qualify as a vulnerability warranting fixes.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Buffer overflow in local command-line certificate functions (PtMakeCert/PtMakeCert2048) can be exploited for arbitrary code execution within the client management tool, mapping to client-side exploitation despite disputed remote reachability.