VDE-2025-098

Vulnerability from csaf_baadem2mproductsgmbh - Published: 2026-04-02 10:00 - Updated: 2026-04-02 10:00
Summary
Baade M2M-Products GmbH: ubusd heap buffer overflow vulnerability in OpenWRT prior to version 24.10.4
Severity
High
Notes
Summary: OpenWrt Project is a Linux operating system targeting embedded devices. Prior to version 24.10.4, ubusd contains a heap buffer overflow in the event registration parsing code. This allows an attacker to modify the head and potentially execute arbitrary code in the context of the ubus daemon. The affected code is executed before running the ACL checks, all ubus clients are able to send such messages. In addition to the heap corruption, the crafted subscription also results in a bypass of the listen ACL.
Impact: ubus clients could exploit this vulnerability, resulting in a potential execution of arbitrary code.
Remediation: Baade M2M-Products GmbH recommends to upgrade the Baade Linux OS version of our Products TCP/IP-Web-Connector 1xCOM (since 2018) and TCP/IP-Web-Connector 4xCOM to version 4.65 or later to fix the ubusd security vulnerability.
Disclaimer: Baade M2M-Products GmbH is not responsible for any side effects negatively affecting the real-time capabilities of our field devices during or immediately after the update process. It is strongly recommended that only trained professionals should perform updates and backups to our products.
Product Description: The field devices from Baade M2M-Products GmbH are industrial gateways shipped with a modified version of OpenWrt Linux.
Mitigation: Upgrade OpenWrt to 24.10.4 or later.

OpenWrt Project is a Linux operating system targeting embedded devices. Prior to version 24.10.4, ubusd contains a heap buffer overflow in the event registration parsing code. This allows an attacker to modify the head and potentially execute arbitrary code in the context of the ubus daemon. The affected code is executed before running the ACL checks, all ubus clients are able to send such messages. In addition to the heap corruption, the crafted subscription also results in a bypass of the listen ACL.

CWE-122 - Heap-based Buffer Overflow
Affected products
Product Identifier Version Remediation
Unresolved product id: CSAFPID-54004
Unresolved product id: CSAFPID-54005
Product Identifier Version Remediation
Unresolved product id: CSAFPID-53004
Vendor Fix
Unresolved product id: CSAFPID-53005
Vendor Fix
Acknowledgments
Apple Karsten Sperling github.com/ksperling-apple
Apple Karsten Sperling github.com/ksperling-apple

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "Coordination",
        "urls": [
          "https://certvde.com/"
        ]
      },
      {
        "names": [
          "Karsten Sperling"
        ],
        "organization": "Apple",
        "summary": "Reported by",
        "urls": [
          "https://github.com/ksperling-apple"
        ]
      }
    ],
    "aggregate_severity": {
      "namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
      "text": "High"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/v1/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "summary",
        "text": "OpenWrt Project is a Linux operating system targeting embedded devices. Prior to version 24.10.4, ubusd contains a heap buffer overflow in the event registration parsing code. This allows an attacker to modify the head and potentially execute arbitrary code in the context of the ubus daemon. The affected code is executed before running the ACL checks, all ubus clients are able to send such messages. In addition to the heap corruption, the crafted subscription also results in a bypass of the listen ACL.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "ubus clients could exploit this vulnerability, resulting in a potential execution of arbitrary code.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "Baade M2M-Products GmbH recommends to upgrade the Baade Linux OS version of our Products TCP/IP-Web-Connector 1xCOM (since 2018) and TCP/IP-Web-Connector 4xCOM to version 4.65 or later to fix the ubusd security vulnerability.",
        "title": "Remediation"
      },
      {
        "category": "legal_disclaimer",
        "text": "Baade M2M-Products GmbH is not responsible for any side effects negatively affecting the real-time capabilities of our field devices during or immediately after the update process. It is strongly recommended that only trained professionals should perform updates and backups to our products.",
        "title": "Disclaimer"
      },
      {
        "category": "description",
        "text": "The field devices from Baade M2M-Products GmbH are industrial gateways shipped with a modified version of OpenWrt Linux.",
        "title": "Product Description"
      },
      {
        "category": "description",
        "text": "Upgrade OpenWrt to 24.10.4 or later.",
        "title": "Mitigation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@baade-m2m.de",
      "name": "Baade M2M-Products GmbH",
      "namespace": "https://baade-m2m.de"
    },
    "references": [
      {
        "category": "external",
        "summary": "Baade M2M-Products GmbH",
        "url": "https://www.baade-m2m.de"
      },
      {
        "category": "self",
        "summary": "VDE-2025-098: Baade M2M-Products GmbH: ubusd heap buffer overflow vulnerability in OpenWRT prior to version 24.10.4 - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2025-098"
      },
      {
        "category": "self",
        "summary": "VDE-2025-098: Baade M2M-Products GmbH: ubusd heap buffer overflow vulnerability in OpenWRT prior to version 24.10.4 - CSAF",
        "url": "https://baade-m2m.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2025-098.json"
      }
    ],
    "title": "Baade M2M-Products GmbH: ubusd heap buffer overflow vulnerability in OpenWRT prior to version 24.10.4",
    "tracking": {
      "aliases": [
        "VDE-2025-098"
      ],
      "current_release_date": "2026-04-02T10:00:00.000Z",
      "generator": {
        "date": "2026-04-02T09:53:49.311Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.44"
        }
      },
      "id": "VDE-2025-098",
      "initial_release_date": "2026-04-02T10:00:00.000Z",
      "revision_history": [
        {
          "date": "2026-04-02T10:00:00.000Z",
          "number": "1.0.0",
          "summary": "Initial version."
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_name",
                    "name": "1xCOM since 2018",
                    "product": {
                      "name": "TCP/IP-Web-Connector 1xCOM since 2018",
                      "product_id": "CSAFPID-10001",
                      "product_identification_helper": {
                        "cpe": "cpe:2.3:h:baade_m2m_products:tcp_ip_web_connector_1xcom_since_2018:*:*:*:*:*:*:*:*"
                      }
                    }
                  },
                  {
                    "category": "product_name",
                    "name": "4xCOM",
                    "product": {
                      "name": "TCP/IP-Web-Connector 4xCOM",
                      "product_id": "CSAFPID-10002",
                      "product_identification_helper": {
                        "cpe": "cpe:2.3:h:baade_m2m_products:tcp_ip_web_connector_4xcom:*:*:*:*:*:*:*:*"
                      }
                    }
                  }
                ],
                "category": "product_family",
                "name": "TCP/IP-Web-Connector"
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          },
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "vers:semver/\u003c4.65",
                    "product": {
                      "name": "Baade Linux \u003c4.65",
                      "product_id": "CSAFPID-21001"
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "4.65",
                    "product": {
                      "name": "Baade Linux 4.65",
                      "product_id": "CSAFPID-22001"
                    }
                  }
                ],
                "category": "product_name",
                "name": "Baade Linux"
              }
            ],
            "category": "product_family",
            "name": "OS"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.22",
                "product": {
                  "name": "Firmware 3.22",
                  "product_id": "CSAFPID-22002"
                }
              }
            ],
            "category": "product_family",
            "name": "Firmware"
          }
        ],
        "category": "vendor",
        "name": "Baade M2M-Products GmbH"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-53004",
          "CSAFPID-53005"
        ],
        "summary": "Affected products."
      },
      {
        "group_id": "CSAFGID-0002",
        "product_ids": [
          "CSAFPID-54004",
          "CSAFPID-54005"
        ],
        "summary": "Fixed products."
      }
    ],
    "relationships": [
      {
        "category": "installed_with",
        "full_product_name": {
          "name": "Firmware 3.22 installed with Baade Linux \u003c4.65",
          "product_id": "CSAFPID-43003"
        },
        "product_reference": "CSAFPID-22002",
        "relates_to_product_reference": "CSAFPID-21001"
      },
      {
        "category": "installed_with",
        "full_product_name": {
          "name": "Firmware 3.22 installed with Baade Linux 4.65",
          "product_id": "CSAFPID-44003"
        },
        "product_reference": "CSAFPID-22002",
        "relates_to_product_reference": "CSAFPID-22001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 3.22 installed with Baade Linux \u003c4.65 on TCP/IP-Web-Connector 1xCOM since 2018",
          "product_id": "CSAFPID-53004"
        },
        "product_reference": "CSAFPID-43003",
        "relates_to_product_reference": "CSAFPID-10001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 3.22 installed with Baade Linux 4.65 on TCP/IP-Web-Connector 1xCOM since 2018",
          "product_id": "CSAFPID-54004"
        },
        "product_reference": "CSAFPID-44003",
        "relates_to_product_reference": "CSAFPID-10001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 3.22 installed with Baade Linux \u003c4.65 on TCP/IP-Web-Connector 4xCOM",
          "product_id": "CSAFPID-53005"
        },
        "product_reference": "CSAFPID-43003",
        "relates_to_product_reference": "CSAFPID-10002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 3.22 installed with Baade Linux 4.65 on TCP/IP-Web-Connector 4xCOM",
          "product_id": "CSAFPID-54005"
        },
        "product_reference": "CSAFPID-44003",
        "relates_to_product_reference": "CSAFPID-10002"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Karsten Sperling"
          ],
          "organization": "Apple",
          "summary": "Karsten Sperling reported the vulnerabilities to OpenWRT",
          "urls": [
            "https://github.com/ksperling-apple"
          ]
        }
      ],
      "cve": "CVE-2025-62526",
      "cwe": {
        "id": "CWE-122",
        "name": "Heap-based Buffer Overflow"
      },
      "notes": [
        {
          "audience": "all",
          "category": "description",
          "text": "OpenWrt Project is a Linux operating system targeting embedded devices. Prior to version 24.10.4, ubusd contains a heap buffer overflow in the event registration parsing code. This allows an attacker to modify the head and potentially execute arbitrary code in the context of the ubus daemon. The affected code is executed before running the ACL checks, all ubus clients are able to send such messages. In addition to the heap corruption, the crafted subscription also results in a bypass of the listen ACL.",
          "title": "CVE Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-54004",
          "CSAFPID-54005"
        ],
        "known_affected": [
          "CSAFPID-53004",
          "CSAFPID-53005"
        ]
      },
      "release_date": "2025-10-22T10:00:00.000Z",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-31T10:00:00.000Z",
          "details": "Baade M2M-Products GmbH recommends to upgrade the Baade Linux OS version of our Products TCP/IP-Web-Connector 1xCOM (since 2018) and TCP/IP-Web-Connector 4xCOM to version 4.65 or later to fix the ubusd security vulnerability.",
          "product_ids": [
            "CSAFPID-53004",
            "CSAFPID-53005"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 7.8,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 7.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-53004",
            "CSAFPID-53005"
          ]
        }
      ],
      "title": "OpenWrt ubusd vulnerable to heap buffer overflow"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…