CVE-2025-63929 – A null pointer dereference vulnerability in air... (How to Fix)

Q: What is the severity of CVE-2025-63929?

CVE-2025-63929 has a CVSS score of 7.5 (HIGH). A null pointer dereference vulnerability in airpig2011 IEC104 allows concurrent threads to crash the application via segmentation fault, causing denial-of-service. This affects systems using IEC104 protocol implementations from the airpig2011 repository up to commit be6d841. Industrial control systems and SCADA environments using this library are primarily at risk.

📋 TL;DR

A null pointer dereference vulnerability in airpig2011 IEC104 allows concurrent threads to crash the application via segmentation fault, causing denial-of-service. This affects systems using IEC104 protocol implementations from the airpig2011 repository up to commit be6d841. Industrial control systems and SCADA environments using this library are primarily at risk.

💻 Affected Systems

Products:

airpig2011 IEC104 library

Versions: All versions through commit be6d841 (2019-07-08)

Operating Systems: All platforms running the vulnerable library

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires multi-threaded usage of the IEC10X_PrioEnQueue function. Systems using single-threaded implementations or not using priority queuing may not be affected.

📦 What is this software?

Iec104 by Airpig2011

View all CVEs affecting Iec104 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of IEC104 communication systems leading to operational downtime in industrial environments, potentially affecting critical infrastructure monitoring and control.

🟠

Likely Case

Application crashes and restarts causing intermittent communication failures in IEC104 protocol implementations, disrupting data exchange between control systems.

🟢

If Mitigated

Controlled application restart with minimal service interruption if proper monitoring and automatic recovery mechanisms are in place.

🌐 Internet-Facing: MEDIUM - While the vulnerability requires specific IEC104 protocol access, internet-exposed industrial systems could be targeted by sophisticated attackers.

🏢 Internal Only: HIGH - Internal industrial networks often lack segmentation and monitoring, making them vulnerable to both accidental and malicious triggering of this condition.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to trigger concurrent thread execution of the vulnerable function, which typically requires IEC104 protocol access and multi-threaded application design.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://github.com/airpig2011/IEC104/issues/21

Restart Required: Yes

Instructions:

1. Monitor the GitHub repository for patches. 2. Consider migrating to maintained alternatives. 3. If source code is available, implement thread-safe queue pointer validation before dereferencing.

🔧 Temporary Workarounds

Implement thread synchronization

all

Add mutex locks around IEC10X_PrioEnQueue calls to prevent concurrent access

// C code example: pthread_mutex_lock(&queue_mutex);
// Call IEC10X_PrioEnQueue
// pthread_mutex_unlock(&queue_mutex);

Disable priority queuing

all

Configure system to use non-priority queue functions if available

// Replace IEC10X_PrioEnQueue calls with IEC10X_EnQueue if supported

🧯 If You Can't Patch

Implement network segmentation to isolate IEC104 systems from untrusted networks
Deploy application monitoring with automatic restart capabilities for crash detection and recovery

🔍 How to Verify

Check if Vulnerable:

Check if using airpig2011 IEC104 library version at or before commit be6d841: grep -r 'airpig2011/IEC104' in source code or check git log for commit history.

Check Version:

git log --oneline | grep be6d841 || find . -name "*.c" -exec grep -l "IEC10X_PrioEnQueue" {} \;

Verify Fix Applied:

Verify thread-safe queue pointer validation is implemented in IEC10X_PrioEnQueue function and test with concurrent thread execution.

📡 Detection & Monitoring

Log Indicators:

Segmentation fault errors in application logs
Unexpected application restarts
IEC104 communication timeouts

Network Indicators:

Abnormal IEC104 protocol traffic patterns
Multiple concurrent connections to IEC104 service

SIEM Query:

source="application.logs" AND ("segmentation fault" OR "SIGSEGV") AND process="iec104"

📊 Metadata

CVE ID: CVE-2025-63929

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.07% exploit probability (21.7th percentile)

Published: November 12, 2025

Last Updated: January 14, 2026

🔗 References

https://github.com/airpig2011/IEC104/issues/21 Exploit,Issue Tracking
https://songsong.host/mybugs/CVE-2025-63929.html Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63929, you might also want to check these: