CVE-2025-62526 – CVE-2025-62526 is a heap buffer overflow vulner... (How to Fix)

Q: What is the severity of CVE-2025-62526?

CVE-2025-62526 has a CVSS score of 7.9 (HIGH). CVE-2025-62526 is a heap buffer overflow vulnerability in OpenWrt's ubusd daemon that allows attackers to execute arbitrary code with ubus daemon privileges. All OpenWrt devices running versions before 24.10.4 are affected, and exploitation bypasses ACL checks, enabling unauthorized access to ubus functionality. The vulnerability affects the event registration parsing code before authentication checks.

📋 TL;DR

CVE-2025-62526 is a heap buffer overflow vulnerability in OpenWrt's ubusd daemon that allows attackers to execute arbitrary code with ubus daemon privileges. All OpenWrt devices running versions before 24.10.4 are affected, and exploitation bypasses ACL checks, enabling unauthorized access to ubus functionality. The vulnerability affects the event registration parsing code before authentication checks.

💻 Affected Systems

Products:

OpenWrt

Versions: All versions prior to 24.10.4

Operating Systems: OpenWrt Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All OpenWrt installations with ubusd running are vulnerable. The vulnerability exists in the ubus component used for inter-process communication.

📦 What is this software?

Openwrt by Openwrt

View all CVEs affecting Openwrt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with ubus daemon privileges leading to complete device compromise, persistence, and lateral movement within the network.

🟠

Likely Case

Privilege escalation leading to unauthorized access to device management functions, configuration modification, and potential denial of service.

🟢

If Mitigated

Limited impact if network segmentation prevents access to ubus services from untrusted networks.

🌐 Internet-Facing: HIGH - ubus services may be exposed on WAN interfaces, allowing remote exploitation without authentication.

🏢 Internal Only: HIGH - Internal attackers or compromised devices can exploit this to gain elevated privileges and control other devices.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting specific ubus messages but does not require authentication. The heap corruption nature makes exploitation moderately complex.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OpenWrt 24.10.4

Vendor Advisory: https://github.com/openwrt/openwrt/security/advisories/GHSA-cp32-65v4-cp73

Restart Required: Yes

Instructions:

1. Update OpenWrt to version 24.10.4 or later using 'opkg update && opkg upgrade'. 2. Reboot the device to ensure ubusd restarts with the patched version.

🔧 Temporary Workarounds

No workarounds available

all

The vendor advisory states there are no workarounds for this vulnerability.

🧯 If You Can't Patch

Restrict network access to ubus services using firewall rules to only allow trusted IP addresses.
Monitor for unusual ubus activity and consider disabling ubus if not required for device functionality.

🔍 How to Verify

Check if Vulnerable:

Check OpenWrt version with 'cat /etc/openwrt_release' or 'opkg list-installed | grep ubus'. If version is earlier than 24.10.4, the system is vulnerable.

Check Version:

cat /etc/openwrt_release | grep DISTRIB_RELEASE

Verify Fix Applied:

Verify ubus package version with 'opkg list-installed | grep ubus' and ensure it shows version 24.10.4 or later.

📡 Detection & Monitoring

Log Indicators:

Unusual ubus connection attempts
Failed ubus authentication attempts
Process crashes of ubusd

Network Indicators:

Unexpected connections to ubus ports (typically 80/tcp for HTTP JSON-RPC)
Malformed ubus protocol messages

SIEM Query:

source="ubusd" AND (event="crash" OR event="buffer_overflow" OR event="invalid_message")

📊 Metadata

CVE ID: CVE-2025-62526

CVSS v3 Score: 7.9 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H

CWE: CWE-122

EPSS Score: 0.01% exploit probability (0.4th percentile)

Published: October 22, 2025

Last Updated: October 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-62526, you might also want to check these: