CVE-2025-49480 – This CVE describes an out-of-bounds memory acce... (How to Fix)

Q: What is the severity of CVE-2025-49480?

CVE-2025-49480 has a CVSS score of 7.4 (HIGH). This CVE describes an out-of-bounds memory access vulnerability in the LZMA compression library used in ASR180x and ASR190x LTE telephony modules. Attackers could potentially read or write beyond allocated memory boundaries, leading to crashes or arbitrary code execution. The vulnerability affects Falcon_Linux, Kestrel, and Lapwing_Linux systems before version 1536.

📋 TL;DR

This CVE describes an out-of-bounds memory access vulnerability in the LZMA compression library used in ASR180x and ASR190x LTE telephony modules. Attackers could potentially read or write beyond allocated memory boundaries, leading to crashes or arbitrary code execution. The vulnerability affects Falcon_Linux, Kestrel, and Lapwing_Linux systems before version 1536.

💻 Affected Systems

Products:

Falcon_Linux
Kestrel
Lapwing_Linux

Versions: All versions before v1536

Operating Systems: Linux-based embedded systems

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems using ASR180x and ASR190x LTE telephony modules with vulnerable LZMA library

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, or device takeover

🟠

Likely Case

Denial of service through system crashes or instability

🟢

If Mitigated

Limited impact with proper memory protection mechanisms and exploit mitigations

🌐 Internet-Facing: MEDIUM - Requires specific conditions and targeting of LTE telephony systems

🏢 Internal Only: MEDIUM - Could be exploited by malicious insiders or compromised internal systems

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires specific conditions and knowledge of the LTE telephony stack

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1536

Vendor Advisory: https://www.asrmicro.com/en/goods/psirt?cid=40

Restart Required: Yes

Instructions:

1. Download v1536 update from vendor 2. Apply update following vendor documentation 3. Restart affected systems 4. Verify update applied successfully

🔧 Temporary Workarounds

Disable vulnerable LZMA compression

linux

Disable LZMA compression features in LTE telephony stack if not required

# Configuration changes depend on specific system implementation

Network segmentation

all

Isolate affected LTE telephony systems from untrusted networks

🧯 If You Can't Patch

Implement strict network access controls to limit exposure
Monitor systems for abnormal behavior and crashes

🔍 How to Verify

Check if Vulnerable:

Check system version: if running Falcon_Linux, Kestrel, or Lapwing_Linux before v1536, system is vulnerable

Check Version:

cat /etc/os-release | grep VERSION_ID

Verify Fix Applied:

Verify system version is v1536 or later and check for absence of crashes in lte-telephony services

📡 Detection & Monitoring

Log Indicators:

Segmentation faults in lte-telephony processes
Memory access violation errors
Unexpected process crashes

Network Indicators:

Abnormal LTE telephony protocol traffic
Unexpected connections to telephony services

SIEM Query:

process.name: "lte-telephony" AND (event.type: "segmentation_fault" OR event.type: "memory_violation")

📊 Metadata

CVE ID: CVE-2025-49480

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CWE: CWE-125

EPSS Score: 0.07% exploit probability (20.2th percentile)

Published: July 1, 2025

Last Updated: December 22, 2025

🔗 References

https://www.asrmicro.com/en/goods/psirt?cid=40 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-49480, you might also want to check these: