VDE-2025-098
Vulnerability from csaf_baadem2mproductsgmbh - Published: 2026-04-02 10:00 - Updated: 2026-04-02 10:00Summary
Baade M2M-Products GmbH: ubusd heap buffer overflow vulnerability in OpenWRT prior to version 24.10.4
Severity
High
Notes
Summary: OpenWrt Project is a Linux operating system targeting embedded devices. Prior to version 24.10.4, ubusd contains a heap buffer overflow in the event registration parsing code. This allows an attacker to modify the head and potentially execute arbitrary code in the context of the ubus daemon. The affected code is executed before running the ACL checks, all ubus clients are able to send such messages. In addition to the heap corruption, the crafted subscription also results in a bypass of the listen ACL.
Impact: ubus clients could exploit this vulnerability, resulting in a potential execution of arbitrary code.
Remediation: Baade M2M-Products GmbH recommends to upgrade the Baade Linux OS version of our Products TCP/IP-Web-Connector 1xCOM (since 2018) and TCP/IP-Web-Connector 4xCOM to version 4.65 or later to fix the ubusd security vulnerability.
Disclaimer: Baade M2M-Products GmbH is not responsible for any side effects negatively affecting the real-time capabilities of our field devices during or immediately after the update process. It is strongly recommended that only trained professionals should perform updates and backups to our products.
Product Description: The field devices from Baade M2M-Products GmbH are industrial gateways shipped with a modified version of OpenWrt Linux.
Mitigation: Upgrade OpenWrt to 24.10.4 or later.
OpenWrt Project is a Linux operating system targeting embedded devices. Prior to version 24.10.4, ubusd contains a heap buffer overflow in the event registration parsing code. This allows an attacker to modify the head and potentially execute arbitrary code in the context of the ubus daemon. The affected code is executed before running the ACL checks, all ubus clients are able to send such messages. In addition to the heap corruption, the crafted subscription also results in a bypass of the listen ACL.
7.8 (High)
Affected products
Fixed
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-54004 | — | ||
| Unresolved product id: CSAFPID-54005 | — |
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-53004 | — |
Vendor Fix
|
|
| Unresolved product id: CSAFPID-53005 | — |
Vendor Fix
|
References
3 references
| URL | Category |
|---|---|
| https://www.baade-m2m.de | external |
| https://certvde.com/en/advisories/VDE-2025-098 | self |
| https://baade-m2m.csaf-tp.certvde.com/.well-known… | self |
Acknowledgments
CERT@VDE
certvde.com/
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "Coordination",
"urls": [
"https://certvde.com/"
]
},
{
"names": [
"Karsten Sperling"
],
"organization": "Apple",
"summary": "Reported by",
"urls": [
"https://github.com/ksperling-apple"
]
}
],
"aggregate_severity": {
"namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
"text": "High"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/v1/"
}
},
"lang": "en-US",
"notes": [
{
"category": "summary",
"text": "OpenWrt Project is a Linux operating system targeting embedded devices. Prior to version 24.10.4, ubusd contains a heap buffer overflow in the event registration parsing code. This allows an attacker to modify the head and potentially execute arbitrary code in the context of the ubus daemon. The affected code is executed before running the ACL checks, all ubus clients are able to send such messages. In addition to the heap corruption, the crafted subscription also results in a bypass of the listen ACL.",
"title": "Summary"
},
{
"category": "description",
"text": "ubus clients could exploit this vulnerability, resulting in a potential execution of arbitrary code.",
"title": "Impact"
},
{
"category": "description",
"text": "Baade M2M-Products GmbH recommends to upgrade the Baade Linux OS version of our Products TCP/IP-Web-Connector 1xCOM (since 2018) and TCP/IP-Web-Connector 4xCOM to version 4.65 or later to fix the ubusd security vulnerability.",
"title": "Remediation"
},
{
"category": "legal_disclaimer",
"text": "Baade M2M-Products GmbH is not responsible for any side effects negatively affecting the real-time capabilities of our field devices during or immediately after the update process. It is strongly recommended that only trained professionals should perform updates and backups to our products.",
"title": "Disclaimer"
},
{
"category": "description",
"text": "The field devices from Baade M2M-Products GmbH are industrial gateways shipped with a modified version of OpenWrt Linux.",
"title": "Product Description"
},
{
"category": "description",
"text": "Upgrade OpenWrt to 24.10.4 or later.",
"title": "Mitigation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@baade-m2m.de",
"name": "Baade M2M-Products GmbH",
"namespace": "https://baade-m2m.de"
},
"references": [
{
"category": "external",
"summary": "Baade M2M-Products GmbH",
"url": "https://www.baade-m2m.de"
},
{
"category": "self",
"summary": "VDE-2025-098: Baade M2M-Products GmbH: ubusd heap buffer overflow vulnerability in OpenWRT prior to version 24.10.4 - HTML",
"url": "https://certvde.com/en/advisories/VDE-2025-098"
},
{
"category": "self",
"summary": "VDE-2025-098: Baade M2M-Products GmbH: ubusd heap buffer overflow vulnerability in OpenWRT prior to version 24.10.4 - CSAF",
"url": "https://baade-m2m.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2025-098.json"
}
],
"title": "Baade M2M-Products GmbH: ubusd heap buffer overflow vulnerability in OpenWRT prior to version 24.10.4",
"tracking": {
"aliases": [
"VDE-2025-098"
],
"current_release_date": "2026-04-02T10:00:00.000Z",
"generator": {
"date": "2026-04-02T09:53:49.311Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.44"
}
},
"id": "VDE-2025-098",
"initial_release_date": "2026-04-02T10:00:00.000Z",
"revision_history": [
{
"date": "2026-04-02T10:00:00.000Z",
"number": "1.0.0",
"summary": "Initial version."
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "1xCOM since 2018",
"product": {
"name": "TCP/IP-Web-Connector 1xCOM since 2018",
"product_id": "CSAFPID-10001",
"product_identification_helper": {
"cpe": "cpe:2.3:h:baade_m2m_products:tcp_ip_web_connector_1xcom_since_2018:*:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "4xCOM",
"product": {
"name": "TCP/IP-Web-Connector 4xCOM",
"product_id": "CSAFPID-10002",
"product_identification_helper": {
"cpe": "cpe:2.3:h:baade_m2m_products:tcp_ip_web_connector_4xcom:*:*:*:*:*:*:*:*"
}
}
}
],
"category": "product_family",
"name": "TCP/IP-Web-Connector"
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:semver/\u003c4.65",
"product": {
"name": "Baade Linux \u003c4.65",
"product_id": "CSAFPID-21001"
}
},
{
"category": "product_version",
"name": "4.65",
"product": {
"name": "Baade Linux 4.65",
"product_id": "CSAFPID-22001"
}
}
],
"category": "product_name",
"name": "Baade Linux"
}
],
"category": "product_family",
"name": "OS"
},
{
"branches": [
{
"category": "product_version",
"name": "3.22",
"product": {
"name": "Firmware 3.22",
"product_id": "CSAFPID-22002"
}
}
],
"category": "product_family",
"name": "Firmware"
}
],
"category": "vendor",
"name": "Baade M2M-Products GmbH"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-53004",
"CSAFPID-53005"
],
"summary": "Affected products."
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-54004",
"CSAFPID-54005"
],
"summary": "Fixed products."
}
],
"relationships": [
{
"category": "installed_with",
"full_product_name": {
"name": "Firmware 3.22 installed with Baade Linux \u003c4.65",
"product_id": "CSAFPID-43003"
},
"product_reference": "CSAFPID-22002",
"relates_to_product_reference": "CSAFPID-21001"
},
{
"category": "installed_with",
"full_product_name": {
"name": "Firmware 3.22 installed with Baade Linux 4.65",
"product_id": "CSAFPID-44003"
},
"product_reference": "CSAFPID-22002",
"relates_to_product_reference": "CSAFPID-22001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 3.22 installed with Baade Linux \u003c4.65 on TCP/IP-Web-Connector 1xCOM since 2018",
"product_id": "CSAFPID-53004"
},
"product_reference": "CSAFPID-43003",
"relates_to_product_reference": "CSAFPID-10001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 3.22 installed with Baade Linux 4.65 on TCP/IP-Web-Connector 1xCOM since 2018",
"product_id": "CSAFPID-54004"
},
"product_reference": "CSAFPID-44003",
"relates_to_product_reference": "CSAFPID-10001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 3.22 installed with Baade Linux \u003c4.65 on TCP/IP-Web-Connector 4xCOM",
"product_id": "CSAFPID-53005"
},
"product_reference": "CSAFPID-43003",
"relates_to_product_reference": "CSAFPID-10002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 3.22 installed with Baade Linux 4.65 on TCP/IP-Web-Connector 4xCOM",
"product_id": "CSAFPID-54005"
},
"product_reference": "CSAFPID-44003",
"relates_to_product_reference": "CSAFPID-10002"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Karsten Sperling"
],
"organization": "Apple",
"summary": "Karsten Sperling reported the vulnerabilities to OpenWRT",
"urls": [
"https://github.com/ksperling-apple"
]
}
],
"cve": "CVE-2025-62526",
"cwe": {
"id": "CWE-122",
"name": "Heap-based Buffer Overflow"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "OpenWrt Project is a Linux operating system targeting embedded devices. Prior to version 24.10.4, ubusd contains a heap buffer overflow in the event registration parsing code. This allows an attacker to modify the head and potentially execute arbitrary code in the context of the ubus daemon. The affected code is executed before running the ACL checks, all ubus clients are able to send such messages. In addition to the heap corruption, the crafted subscription also results in a bypass of the listen ACL.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-54004",
"CSAFPID-54005"
],
"known_affected": [
"CSAFPID-53004",
"CSAFPID-53005"
]
},
"release_date": "2025-10-22T10:00:00.000Z",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-31T10:00:00.000Z",
"details": "Baade M2M-Products GmbH recommends to upgrade the Baade Linux OS version of our Products TCP/IP-Web-Connector 1xCOM (since 2018) and TCP/IP-Web-Connector 4xCOM to version 4.65 or later to fix the ubusd security vulnerability.",
"product_ids": [
"CSAFPID-53004",
"CSAFPID-53005"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-53004",
"CSAFPID-53005"
]
}
],
"title": "OpenWrt ubusd vulnerable to heap buffer overflow"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…