CVE-2025-66624 – This vulnerability in the BACnet Protocol Stack... (How to Fix)

Q: What is the severity of CVE-2025-66624?

CVE-2025-66624 has a CVSS score of 7.5 (HIGH). This vulnerability in the BACnet Protocol Stack library allows out-of-bounds memory reads when processing specially crafted BACnet network protocol data units (NPDUs). Systems using affected versions of the BACnet stack for building automation and control communications are vulnerable to denial of service (crash) and potential mis-routing of network replies.

📋 TL;DR

This vulnerability in the BACnet Protocol Stack library allows out-of-bounds memory reads when processing specially crafted BACnet network protocol data units (NPDUs). Systems using affected versions of the BACnet stack for building automation and control communications are vulnerable to denial of service (crash) and potential mis-routing of network replies.

💻 Affected Systems

Products:

BACnet Protocol Stack library
Any software using the BACnet-stack library

Versions: All versions prior to 1.5.0.rc2

Operating Systems: All platforms running BACnet-stack

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any application using the BACnet-stack library for BACnet communications; common in building management systems, HVAC controllers, and industrial automation.

📦 What is this software?

Bacnet Stack by Bacnetstack

View all CVEs affecting Bacnet Stack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Reliable denial of service causing system crashes on protected builds (ASan/MPU/strict), and undefined behavior including potential memory corruption or mis-routed network traffic on unprotected builds.

🟠

Likely Case

Denial of service through application crashes when processing malformed BACnet packets, disrupting building automation systems.

🟢

If Mitigated

Minimal impact if proper memory protection mechanisms (ASan, MPU) are enabled, causing controlled crashes instead of undefined behavior.

🌐 Internet-Facing: MEDIUM - BACnet systems are typically on internal networks but may be exposed via gateways or misconfigurations; exploitation requires BACnet protocol access.

🏢 Internal Only: HIGH - BACnet is widely used in building automation systems (HVAC, lighting, access control) where internal network access is common among devices.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW - Requires sending specially crafted BACnet NPDU packets to vulnerable systems.

Exploitation requires network access to BACnet ports (typically 47808/UDP). The advisory indicates only memory reads occur, making RCE unlikely but DoS reliable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.0.rc2 and later

Vendor Advisory: https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-8wgw-5h6x-qgqg

Restart Required: Yes

Instructions:

1. Update BACnet-stack library to version 1.5.0.rc2 or later. 2. Rebuild any applications using the library. 3. Restart affected BACnet services or devices.

🔧 Temporary Workarounds

Network segmentation

all

Isolate BACnet networks from untrusted networks using firewalls or VLANs.

Enable memory protection

linux

Compile applications with address sanitizer (ASan) or memory protection units (MPU) to convert undefined behavior into controlled crashes.

gcc -fsanitize=address -o bacnet_app bacnet_app.c

🧯 If You Can't Patch

Implement strict network access controls to BACnet ports (47808/UDP) allowing only trusted devices.
Monitor for abnormal BACnet traffic patterns or repeated crashes of BACnet services.

🔍 How to Verify

Check if Vulnerable:

Check if BACnet-stack library version is earlier than 1.5.0.rc2 in application dependencies or linked libraries.

Check Version:

Check library version in source code or use: strings libbacnet.so | grep BACNET_STACK_VERSION

Verify Fix Applied:

Verify BACnet-stack library version is 1.5.0.rc2 or later and applications have been rebuilt with the updated library.

📡 Detection & Monitoring

Log Indicators:

Application crashes or segmentation faults in BACnet services
Error logs mentioning out-of-bounds memory access

Network Indicators:

Unusual BACnet NPDU packets smaller than expected
Traffic to BACnet port 47808/UDP from unexpected sources

SIEM Query:

source="bacnet.log" AND ("segmentation fault" OR "out of bounds" OR "crash")

📊 Metadata

CVE ID: CVE-2025-66624

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-125

EPSS Score: 0.06% exploit probability (18.6th percentile)

Published: December 5, 2025

Last Updated: February 18, 2026

🔗 References

https://github.com/bacnet-stack/bacnet-stack/commit/9378f7d1e70169ebde4a5090bae7603703eadf48 Patch
https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-8wgw-5h6x-qgqg Vendor Advisory,Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66624, you might also want to check these: