Cyber Posture

CVE-2025-69276

High

Published: 12 January 2026

Published
12 January 2026
Modified
14 January 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0023 45.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Deserialization of Untrusted Data vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Object Injection.This issue affects DX NetOps Spectrum: 24.3.13 and earlier.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the deserialization of untrusted data vulnerability by applying vendor-provided patches for affected DX NetOps Spectrum versions.

SI-10 Information Input Validation good match
prevent

Validates untrusted input data prior to deserialization to prevent object injection attacks exploiting CWE-502.

SI-16 Memory Protection partial match
prevent

Provides memory protections such as DEP and ASLR to mitigate exploitation consequences like arbitrary code execution from deserialization flaws.

Security SummaryAI

CVE-2025-69276 is a Deserialization of Untrusted Data vulnerability (CWE-502) in Broadcom DX NetOps Spectrum on Windows and Linux platforms. The flaw allows Object Injection and affects DX NetOps Spectrum versions 24.3.13 and earlier. Published on 2026-01-12, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to network accessibility and potential for significant impacts.

Attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), allowing object injection that could lead to arbitrary code execution or other severe compromises within the affected Spectrum instance.

The Broadcom security advisory at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 provides details on mitigation strategies and available patches.

Details

CWE(s)
CWE-502

Affected Products

broadcom
dx netops spectrum
≤ 25.4.1

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

Deserialization vulnerability enables low-privileged remote attackers to perform object injection leading to arbitrary code execution, directly facilitating Exploitation of Remote Services (T1210) and Exploitation for Privilege Escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References