Login Sign Up

CVE-2025-9385

5.3 MEDIUM

📋 TL;DR

A use-after-free vulnerability in tcpreplay's tcprewrite component allows local attackers to potentially crash the application or execute arbitrary code. This affects tcpreplay versions up to 4.5.1 when processing IPv6 packets. Only users who run tcprewrite locally on vulnerable systems are affected.

💻 Affected Systems

Products:
  • appneta tcpreplay
Versions: up to and including 4.5.1
Operating Systems: All platforms running tcpreplay
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects tcprewrite component when processing IPv6 packets. Systems not using tcprewrite or not processing IPv6 traffic are not vulnerable.

📦 What is this software?

Tcpreplay by Broadcom

View all CVEs affecting Tcpreplay →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation leading to arbitrary code execution as the user running tcprewrite, potentially compromising the entire system.

🟠

Likely Case

Application crash (denial of service) when processing malicious IPv6 packets with tcprewrite.

🟢

If Mitigated

No impact if tcprewrite is not used or if proper access controls prevent local users from executing it.

🌐 Internet-Facing: LOW - Attack requires local execution, not remotely exploitable.
🏢 Internal Only: MEDIUM - Local users can exploit this, but requires specific conditions (running tcprewrite on vulnerable version).

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploit details have been published in references. Requires local access and ability to run tcprewrite with crafted IPv6 packets.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.5.2-beta3 or later

Vendor Advisory: https://github.com/appneta/tcpreplay/issues/972

Restart Required: No

Instructions:

1. Check current version with 'tcpreplay --version'. 2. Upgrade to 4.5.2-beta3 or later using package manager or source compilation. 3. Verify fix with 'tcprewrite --version' showing patched version.

🔧 Temporary Workarounds

Disable tcprewrite usage

all

Remove execute permissions or restrict access to tcprewrite binary

chmod -x /usr/bin/tcprewrite
chmod 700 /usr/bin/tcprewrite

Avoid IPv6 packet processing

all

Configure workflows to avoid processing IPv6 packets with tcprewrite

🧯 If You Can't Patch

  • Implement strict access controls to prevent unauthorized users from executing tcprewrite
  • Monitor for crash logs or unexpected behavior in tcprewrite processes

🔍 How to Verify

Check if Vulnerable:

Run 'tcprewrite --version' and check if version is 4.5.1 or earlier

Check Version:

tcprewrite --version

Verify Fix Applied:

Confirm version is 4.5.2-beta3 or later with 'tcprewrite --version'

📡 Detection & Monitoring

Log Indicators:

  • Segmentation fault or crash logs from tcprewrite process
  • Unexpected termination of tcprewrite

Network Indicators:

  • None - local exploit only

SIEM Query:

process.name:tcprewrite AND (event.type:crash OR exit_code:139)

📊 Metadata

CVE ID: CVE-2025-9385
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-119
EPSS Score: 0.02% exploit probability (4.9th percentile)
Published: August 24, 2025
Last Updated: October 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9385, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)