Login Sign Up

CVE-2025-9386

5.3 MEDIUM

📋 TL;DR

CVE-2025-9386 is a use-after-free vulnerability in tcpreplay's tcprewrite component that allows local attackers to potentially execute arbitrary code or cause denial of service. The vulnerability affects tcpreplay versions up to 4.5.1 and requires local access to exploit. Organizations using tcpreplay for network testing or packet manipulation are affected.

💻 Affected Systems

Products:
  • appneta tcpreplay
Versions: up to and including 4.5.1
Operating Systems: Linux, Unix-like systems, macOS, Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects tcprewrite component when processing malicious packet files

📦 What is this software?

Tcpreplay by Broadcom

View all CVEs affecting Tcpreplay →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation leading to full system compromise or persistent backdoor installation

🟠

Likely Case

Application crash (denial of service) or limited memory corruption

🟢

If Mitigated

Minimal impact if proper access controls limit local user privileges

🌐 Internet-Facing: LOW - Attack requires local access, cannot be exploited remotely
🏢 Internal Only: MEDIUM - Local users with access to tcprewrite could exploit this vulnerability

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploit requires local access and knowledge of tcprewrite usage. Public exploit details available in disclosed references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.5.2-beta3 or later

Vendor Advisory: https://github.com/appneta/tcpreplay/issues/973

Restart Required: No

Instructions:

1. Download latest version from GitHub releases. 2. Compile and install following tcpreplay documentation. 3. Verify installation with version check.

🔧 Temporary Workarounds

Restrict tcprewrite access

all

Limit execution of tcprewrite to trusted users only using file permissions

chmod 750 /usr/local/bin/tcprewrite
chown root:trustedgroup /usr/local/bin/tcprewrite

Disable vulnerable component

all

Remove or disable tcprewrite if not essential for operations

rm /usr/local/bin/tcprewrite
mv /usr/local/bin/tcprewrite /usr/local/bin/tcprewrite.disabled

🧯 If You Can't Patch

  • Implement strict access controls to limit who can execute tcprewrite
  • Monitor system logs for unusual tcprewrite execution patterns

🔍 How to Verify

Check if Vulnerable:

Check tcpreplay version: tcpreplay --version | grep -i version

Check Version:

tcpreplay --version

Verify Fix Applied:

Verify version is 4.5.2-beta3 or higher: tcpreplay --version

📡 Detection & Monitoring

Log Indicators:

  • Segmentation faults in tcprewrite
  • Abnormal memory usage patterns in tcprewrite processes

Network Indicators:

  • None - local exploitation only

SIEM Query:

process.name:"tcprewrite" AND (event.action:"segmentation_fault" OR event.action:"memory_violation")

📊 Metadata

CVE ID: CVE-2025-9386
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-119
EPSS Score: 0.03% exploit probability (8.2th percentile)
Published: August 24, 2025
Last Updated: October 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9386, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)