CVE-2025-68388

5.3 MEDIUM

Denial of Service

📋 TL;DR

This vulnerability in Packetbeat allows unauthenticated remote attackers to send malicious IPv4 fragments that trigger excessive memory and CPU allocation, causing performance degradation or denial of service. Organizations running vulnerable Packetbeat versions are affected.

💻 Affected Systems

Products:

• Elastic Packetbeat

Versions: 8.19.9, 9.1.9, 9.2.3 and earlier

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All Packetbeat deployments processing IPv4 traffic are vulnerable by default.

📦 What is this software?

Packetbeat by Elasticsearch

View all CVEs affecting Packetbeat →

Packetbeat by Elasticsearch

View all CVEs affecting Packetbeat →

Packetbeat by Elasticsearch

View all CVEs affecting Packetbeat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete Packetbeat service disruption leading to loss of network traffic monitoring and potential cascading effects on dependent security systems.

🟠

Likely Case

Performance degradation of Packetbeat resulting in packet loss, delayed alerts, and reduced monitoring effectiveness.

🟢

If Mitigated

Minimal impact with proper network segmentation and rate limiting in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires sending specially crafted IPv4 fragments to vulnerable Packetbeat instances.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.19.10, 9.1.10, 9.2.4 or later

Vendor Advisory: https://discuss.elastic.co/t/packetbeat-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-29/384177

Restart Required: Yes

Instructions:

1. Download latest Packetbeat version from Elastic downloads page. 2. Stop Packetbeat service. 3. Install updated version. 4. Restart Packetbeat service. 5. Verify service is running correctly.

🔧 Temporary Workarounds

Network segmentation and filtering

all

Restrict access to Packetbeat instances and filter IPv4 fragments at network perimeter.

Rate limiting

all

Implement network rate limiting to prevent excessive fragment traffic.

🧯 If You Can't Patch

• Implement strict network ACLs to limit Packetbeat exposure to untrusted networks
• Deploy network IPS/IDS to detect and block malicious IPv4 fragment patterns

🔍 How to Verify

Check if Vulnerable:

Copy

Check Packetbeat version with: packetbeat version

Check Version:

Copy

packetbeat version

Verify Fix Applied:

Copy

Confirm version is 8.19.10, 9.1.10, 9.2.4 or later and monitor for abnormal resource usage

📡 Detection & Monitoring

Log Indicators:

• High memory/CPU usage alerts
• Packetbeat process crashes or restarts
• Increased error rates in Packetbeat logs

Network Indicators:

• Unusual volume of IPv4 fragments
• Fragments with abnormal size or offset values

SIEM Query:

Copy

source:packetbeat AND (memory_usage > 90% OR cpu_usage > 90%)

📊 Metadata

CVE ID: CVE-2025-68388

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-770

EPSS Score: 0.12% exploit probability (31.7th percentile)

Published: December 18, 2025

Last Updated: December 23, 2025

🔗 References

• https://discuss.elastic.co/t/packetbeat-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-29/384177 Vendor Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68388, you might also want to check these:

CVE-2024-44241 9.8

This vulnerability in DCP firmware allows attackers to execute arbitrary code or cause system crashe...

Same vulnerability type (CWE-770)

CVE-2025-11832 9.8

This CVE describes a resource allocation vulnerability in Azure Access Technology BLU-IC2 and BLU-IC...

Same vulnerability type (CWE-770)

CVE-2021-47875 9.8

GeoGebra CAS Calculator 6.0.631.0 contains a buffer overflow vulnerability that allows attackers to ...

Same vulnerability type (CWE-770)