CVE-2025-27829
📋 TL;DR
A vulnerability in Stormshield Network Security (SNS) firewalls allows attackers to disrupt multicast traffic when multicast streams are enabled on multiple interfaces. This can cause denial of service for multicast routing services. Organizations using affected SNS firewall versions with multicast configurations are impacted.
💻 Affected Systems
- Stormshield Network Security (SNS)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of multicast-dependent services like video streaming, financial data feeds, or industrial control systems relying on multicast routing through the firewall.
Likely Case
Intermittent multicast service interruptions affecting real-time applications and network services that depend on multicast traffic.
If Mitigated
Limited impact if multicast is not critical to operations or if traffic can be rerouted through unaffected paths.
🎯 Exploit Status
Exploitation requires network access to multicast traffic and knowledge of the firewall's multicast configuration. No authentication needed to trigger the condition.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.3.35 or later
Vendor Advisory: https://advisories.stormshield.eu/2025-002/
Restart Required: Yes
Instructions:
1. Download SNS version 4.3.35 or later from Stormshield support portal. 2. Backup current configuration. 3. Apply the update through the web interface or CLI. 4. Reboot the firewall as required. 5. Verify multicast functionality post-update.
🔧 Temporary Workarounds
Disable Multicast on Secondary Interfaces
allConfigure multicast streams to use only one interface instead of multiple interfaces
# Access SNS CLI
configure
interface <interface_name>
no multicast enable
commit
exit
Implement Multicast Rate Limiting
allApply rate limiting to multicast traffic to reduce impact of potential disruptions
# Configure traffic shaping for multicast
configure
traffic-policy multicast-limit
rate-limit multicast 100mbps
apply-to interface <interface_name>
commit
exit
🧯 If You Can't Patch
- Isolate multicast traffic to a single interface only
- Implement network segmentation to limit multicast traffic exposure and monitor for anomalies
🔍 How to Verify
Check if Vulnerable:
Check SNS version via CLI: 'show version' and verify if running 4.3.x before 4.3.35. Check multicast configuration: 'show running-config | include multicast' to see if enabled on multiple interfaces.Check Version:
show versionVerify Fix Applied:
After patching, verify version is 4.3.35 or later with 'show version'. Test multicast functionality between interfaces and monitor for disruptions.📡 Detection & Monitoring
Log Indicators:
- Multicast routing table flapping
- Interface multicast state changes
- Increased multicast packet loss logs
- Firewall multicast service restart events
Network Indicators:
- Sudden drops in multicast traffic patterns
- Multicast group membership instability
- Increased ICMP destination unreachable messages for multicast addresses
SIEM Query:
source="sns-firewall" (multicast AND (drop OR error OR restart)) OR (interface AND multicast AND state_change)