CVE-2025-9157
📋 TL;DR
A use-after-free vulnerability in tcpreplay's tcprewrite component allows local attackers to execute arbitrary code or cause denial of service. The vulnerability exists in the untrunc_packet function and affects tcpreplay versions up to 4.5.2-beta2. Only local users can exploit this vulnerability.
💻 Affected Systems
- appneta tcpreplay
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation leading to full system compromise via arbitrary code execution.
Likely Case
Denial of service causing tcprewrite to crash when processing malicious packet files.
If Mitigated
Limited impact due to local-only exploitation requirement and typical usage patterns.
🎯 Exploit Status
Exploit details are publicly available in the disclosed references. Requires local access and ability to run tcprewrite with malicious input.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after commit 73008f261f1cdf7a1087dc8759115242696d35da
Vendor Advisory: https://github.com/appneta/tcpreplay/issues/970
Restart Required: No
Instructions:
1. Update tcpreplay to latest version from official repository. 2. Apply commit 73008f261f1cdf7a1087dc8759115242696d35da if building from source. 3. Verify installation with version check.
🔧 Temporary Workarounds
Restrict tcprewrite usage
allLimit tcprewrite execution to trusted users only
chmod 750 /usr/bin/tcprewrite
setfacl -m u:trusteduser:rx /usr/bin/tcprewrite
Input validation
allOnly process packet files from trusted sources
🧯 If You Can't Patch
- Remove execute permissions for untrusted users on tcprewrite binary
- Monitor for suspicious tcprewrite process execution patterns
🔍 How to Verify
Check if Vulnerable:
Check tcpreplay version: tcpreplay --version | grep -E '4\.5\.[0-2]|4\.5\.2-beta[0-2]'Check Version:
tcpreplay --versionVerify Fix Applied:
Verify version is newer than 4.5.2-beta2 or contains commit 73008f261f1cdf7a1087dc8759115242696d35da📡 Detection & Monitoring
Log Indicators:
- Segmentation fault or crash logs from tcprewrite
- Unexpected termination of tcprewrite processes
Network Indicators:
- None - local-only vulnerability
SIEM Query:
process_name:"tcprewrite" AND (event_type:"crash" OR exit_code:139)🔗 References
- https://drive.google.com/file/d/1_aONM_TOF96JbnYviPyZhVk-7HObtX8H/view?usp=sharing
- https://github.com/appneta/tcpreplay/commit/73008f261f1cdf7a1087dc8759115242696d35da
- https://github.com/appneta/tcpreplay/issues/970
- https://github.com/appneta/tcpreplay/issues/970#issuecomment-3198966053
- https://vuldb.com/?ctiid.320537
- https://vuldb.com/?id.320537
- https://vuldb.com/?submit.630495
