CVE-2025-65408 Overview
CVE-2025-65408 is a NULL pointer dereference vulnerability in Live555 Streaming Media v2018.09.02. The flaw resides in the ADTSAudioFileServerMediaSubsession::createNewRTPSink() function. Attackers can trigger the condition by supplying a crafted Audio Data Transport Stream (ADTS) file to the streaming server.
Successful exploitation causes a Denial of Service (DoS) by crashing the streaming media process. The vulnerability is tracked under [CWE-476] (NULL Pointer Dereference) and affects deployments that expose Live555 to network input.
Critical Impact
Remote attackers can crash Live555 streaming servers by delivering a malformed ADTS audio file, terminating media services for all connected clients.
Affected Products
- Live555 Streaming Media 2018.09.02
- RTSP/RTP server deployments embedding the affected Live555 release
- Downstream IP camera and media gateway firmware bundling the vulnerable version
Discovery Timeline
- 2025-12-01 - CVE-2025-65408 published to the National Vulnerability Database (NVD)
- 2025-12-23 - Last updated in NVD database
Technical Details for CVE-2025-65408
Vulnerability Analysis
Live555 Streaming Media is a widely embedded C++ library that implements Real Time Streaming Protocol (RTSP), Real-time Transport Protocol (RTP), and Session Initiation Protocol (SIP) for media delivery. The ADTSAudioFileServerMediaSubsession class handles serving Advanced Audio Coding (AAC) streams wrapped in ADTS containers.
When a client requests an ADTS-backed stream, the server invokes createNewRTPSink() to build the RTP sink that will transport audio frames. The function dereferences pointers derived from parsing the ADTS file header without validating that the upstream parser returned a usable object. A crafted ADTS file causes the parser to leave a required pointer unset, and the subsequent dereference terminates the process.
Root Cause
The root cause is missing validation of the return value from the ADTS file parsing routine before its result is dereferenced inside createNewRTPSink(). When the header is malformed, the parser produces a NULL or partially initialized object that the sink construction logic treats as valid, satisfying [CWE-476].
Attack Vector
The attack vector is network-based and requires user interaction to load or serve the malicious file. An attacker can place a crafted .aac or .adts file in a directory served by the Live555 RTSP server, then trigger streaming through a standard DESCRIBE/SETUP exchange. The server process crashes when createNewRTPSink() is invoked, ending all active sessions until the daemon is restarted.
No authentication is required when the server allows anonymous RTSP access, which is common in IP camera and embedded streaming deployments. Public technical references are available on the GitHub Live555 Project and the associated Shimo Document.
Detection Methods for CVE-2025-65408
Indicators of Compromise
- Unexpected termination or repeated restarts of Live555-based RTSP services such as live555MediaServer
- ADTS or AAC files with malformed headers placed in directories exposed by the RTSP server
- RTSP DESCRIBE or SETUP requests immediately followed by process crash signatures in system logs
Detection Strategies
- Monitor process supervision logs for abnormal exit codes (SIGSEGV) on Live555 binaries
- Inspect RTSP access logs for requests targeting newly uploaded .aac or .adts resources from untrusted clients
- Use file integrity monitoring on streaming content directories to flag unauthorized media uploads
Monitoring Recommendations
- Forward RTSP server stdout/stderr and core dump events to a centralized logging pipeline
- Alert on repeated client sessions from a single source that precede service restarts
- Track network flows on TCP/554 and associated RTP ports for anomalous short-lived sessions
How to Mitigate CVE-2025-65408
Immediate Actions Required
- Inventory all systems running Live555 Streaming Media 2018.09.02, including embedded firmware
- Restrict RTSP access to trusted networks using firewall rules or VPN segmentation
- Disable anonymous file uploads to directories served by the RTSP daemon
- Remove or quarantine any untrusted ADTS/AAC files staged in media directories
Patch Information
No vendor advisory or fixed version has been published in the NVD record at the time of writing. Monitor the upstream GitHub Live555 Project repository for updated releases that add validation around ADTSAudioFileServerMediaSubsession::createNewRTPSink(). Organizations maintaining custom builds should add a NULL check on the parser output before constructing the RTP sink.
Workarounds
- Run the Live555 server under a process supervisor that auto-restarts on crash to limit downtime
- Enforce authentication on RTSP endpoints to prevent unauthenticated session establishment
- Block external network access to RTSP ports and require client connections through an authenticated gateway
# Configuration example: restrict RTSP access with iptables
iptables -A INPUT -p tcp --dport 554 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 554 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
