Login Sign Up

CVE-2025-62525

7.9 HIGH

📋 TL;DR

Local users on affected OpenWrt systems can read and write arbitrary kernel memory through the ltq-ptm driver ioctls, allowing kernel privilege escalation. This affects OpenWrt installations on Lantiq/Intel/MaxLinear xrx200, danube, and amazon SoCs with DSL in PTM mode. The vulnerability enables sandbox escape from services like ujail.

💻 Affected Systems

Products:
  • OpenWrt
Versions: All versions prior to 24.10.4
Operating Systems: OpenWrt Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Lantiq/Intel/MaxLinear xrx200, danube, and amazon SoCs with DSL in PTM mode. VRX518 DSL driver and ATM mode are not affected.

📦 What is this software?

Openwrt by Openwrt

View all CVEs affecting Openwrt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root access, persistent backdoor installation, and bypass of all security controls including sandboxing.

🟠

Likely Case

Local privilege escalation allowing attackers to gain root privileges and potentially pivot to other systems on the network.

🟢

If Mitigated

Limited to local users only, but still enables full system compromise if an attacker gains local access.

🌐 Internet-Facing: LOW - Requires local access to exploit, not directly exploitable over network.
🏢 Internal Only: HIGH - Local attackers or compromised services can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires local access but exploitation appears straightforward through driver ioctls. No public exploit code identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OpenWrt 24.10.4

Vendor Advisory: https://openwrt.org/advisory/2025-10-22-2

Restart Required: Yes

Instructions:

1. Update OpenWrt to version 24.10.4 or later using opkg update && opkg upgrade. 2. Reboot the device to load the patched kernel module. 3. Verify the update was successful.

🔧 Temporary Workarounds

No workarounds available

all

The vendor advisory states there are no workarounds for this vulnerability.

🧯 If You Can't Patch

  • Restrict local access to affected devices through strict access controls and network segmentation.
  • Monitor for unusual local privilege escalation attempts and kernel module loading activities.

🔍 How to Verify

Check if Vulnerable:

Check OpenWrt version with 'cat /etc/openwrt_release' and verify if version is earlier than 24.10.4. Also check if using affected Lantiq SoC with DSL in PTM mode.

Check Version:

cat /etc/openwrt_release | grep VERSION

Verify Fix Applied:

Verify OpenWrt version is 24.10.4 or later with 'cat /etc/openwrt_release'. Check kernel module version with 'modinfo ltq-ptm'.

📡 Detection & Monitoring

Log Indicators:

  • Unusual ioctl calls to ltq-ptm driver
  • Unexpected kernel module loading
  • Privilege escalation attempts

Network Indicators:

  • None - local exploitation only

SIEM Query:

Process execution where command contains 'ioctl' and target includes 'ltq-ptm' OR kernel module loading of suspicious drivers

📊 Metadata

CVE ID: CVE-2025-62525
CVSS v3 Score: 7.9 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H
CWE: CWE-20
EPSS Score: 0.03% exploit probability (7th percentile)
Published: October 22, 2025
Last Updated: October 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-62525, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)