CVE-2025-49162
📋 TL;DR
This vulnerability in Arris VIP1113 devices allows remote attackers to overwrite arbitrary files via TFTP by using specially crafted filenames containing spaces. Attackers can control the local filename on the device, potentially leading to system compromise. All Arris VIP1113 devices running KreaTV SDK through May 30, 2025 are affected.
💻 Affected Systems
- Arris VIP1113
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete device takeover through file overwrite leading to arbitrary code execution, persistent backdoor installation, or bricking of the device.
Likely Case
File system corruption, denial of service, or installation of malicious firmware/software on vulnerable devices.
If Mitigated
Limited impact if TFTP access is restricted to trusted networks only.
🎯 Exploit Status
Exploitation requires network access to TFTP service and knowledge of vulnerable filename handling.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Monitor Arris security advisories for updates.
🔧 Temporary Workarounds
Disable TFTP Service
allDisable TFTP service on affected devices to prevent exploitation.
Check device configuration for TFTP settings and disable if possible
Network Segmentation
allRestrict TFTP access to trusted management networks only.
Configure firewall rules to block TFTP (port 69) from untrusted networks
🧯 If You Can't Patch
- Isolate affected devices in separate network segments with strict access controls
- Monitor TFTP traffic for suspicious filename patterns containing spaces
🔍 How to Verify
Check if Vulnerable:
Check device firmware version and confirm TFTP service is enabled and accessible.Check Version:
Check device web interface or CLI for firmware version informationVerify Fix Applied:
Verify TFTP service is disabled or inaccessible from untrusted networks.📡 Detection & Monitoring
Log Indicators:
- TFTP access logs showing filenames with spaces
- File system modification events in unexpected locations
Network Indicators:
- TFTP traffic to port 69 with unusual filename patterns
- Multiple TFTP requests with space characters in filenames
SIEM Query:
source_port:69 AND (filename:* * OR filename:*%20*)