Skip to main content
CVE Vulnerability Database

CVE-2025-7921: Askey Modem Stack Overflow RCE Vulnerability

CVE-2025-7921 is a stack-based buffer overflow vulnerability in Askey modem models that enables unauthenticated remote attackers to execute arbitrary code. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-7921 Overview

CVE-2025-7921 is a stack-based buffer overflow vulnerability [CWE-121] affecting certain modem models developed by Askey. The flaw allows unauthenticated remote attackers to overwrite stack memory, control program execution flow, and potentially execute arbitrary code on affected devices. The Taiwan Computer Emergency Response Team (TWCERT/CC) coordinated the disclosure and published the advisory.

The vulnerability carries a CVSS 4.0 base score of 9.3, reflecting network-reachable exploitation with no authentication or user interaction. Successful exploitation compromises confidentiality, integrity, and availability of the affected modem.

Critical Impact

Unauthenticated remote attackers can execute arbitrary code on affected Askey modems, gaining full control of network edge devices that route subscriber traffic.

Affected Products

  • Askey modems (specific models identified in the TWCERT advisory)
  • Vendor-supplied firmware versions referenced in the TWCERT bulletin
  • Deployments where the affected modem service is reachable from untrusted networks

Discovery Timeline

  • 2025-07-21 - CVE-2025-7921 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-7921

Vulnerability Analysis

The issue is a classic stack-based buffer overflow [CWE-121] in firmware running on certain Askey modem models. An attacker sends crafted input to a network-exposed service on the device. The service copies attacker-controlled data into a fixed-size stack buffer without sufficient bounds checking.

The overflow corrupts adjacent stack memory, including saved return addresses and frame pointers. By shaping the payload, an attacker redirects execution to attacker-supplied code or to existing code gadgets within firmware memory. Because the vulnerable service is reachable without authentication, exploitation does not require valid credentials or prior access.

The EPSS score is approximately 0.69% with a percentile near 72, indicating elevated relative likelihood of exploitation activity compared to typical CVEs. No public proof-of-concept is currently linked in the advisory references.

Root Cause

The root cause is missing or inadequate length validation when copying network-supplied data into a stack-allocated buffer. The handler trusts attacker-controlled size or content fields and uses unsafe copy operations such as strcpy, sprintf, or unbounded memcpy patterns common to embedded C code.

Attack Vector

The attack vector is network-based. An attacker reaches the vulnerable service over the network interface exposed by the modem and submits a malformed request that exceeds the expected buffer size. No authentication, user interaction, or local access is required, which makes the issue suitable for opportunistic scanning and worm-style propagation across exposed modems.

For verified technical details and affected version lists, refer to the TWCERT Security Advisory and the TWCERT Incident Report.

Detection Methods for CVE-2025-7921

Indicators of Compromise

  • Unexpected reboots, crashes, or watchdog resets on Askey modems consistent with failed exploitation attempts
  • Outbound connections from the modem to unfamiliar command-and-control infrastructure
  • Configuration changes, new administrative accounts, or DNS settings altered without authorization
  • Anomalously large or malformed requests targeting modem management services from external sources

Detection Strategies

  • Inspect inbound traffic to modem management interfaces for oversized fields and non-conforming protocol payloads
  • Alert on management-plane services responding from WAN-side interfaces that should be LAN-only
  • Correlate modem crash logs and syslog entries with adjacent network scanning activity

Monitoring Recommendations

  • Forward modem syslog and SNMP traps to a centralized logging platform for retention and correlation
  • Monitor north-south traffic at the carrier or enterprise edge for scanning patterns targeting CPE management ports
  • Track firmware version inventory and flag devices running versions identified as vulnerable in the TWCERT advisory

How to Mitigate CVE-2025-7921

Immediate Actions Required

  • Apply the firmware update published by Askey for the affected modem models as soon as it is available through the vendor or service provider
  • Restrict access to modem management services so they are not reachable from the public internet
  • Inventory deployed Askey modems and confirm firmware versions against the TWCERT advisory
  • Rotate administrative credentials and review device configurations for unauthorized changes after patching

Patch Information

Askey, coordinated through TWCERT/CC, has issued guidance for affected models. Consult the TWCERT Security Advisory for the authoritative list of affected models, fixed firmware versions, and update procedures. Service providers distributing these modems should push fixed firmware through their provisioning systems.

Workarounds

  • Disable WAN-side access to the modem's web administration, TR-069, and any remote management services until firmware is updated
  • Place vulnerable modems behind an upstream firewall and block inbound connections to management ports
  • Segment management traffic to a dedicated VLAN reachable only from trusted operator networks
  • Replace end-of-life modems that will not receive a vendor patch
bash
# Configuration example: block external access to common CPE management ports at an upstream firewall
iptables -A FORWARD -i wan0 -p tcp -m multiport --dports 80,443,7547,8080 -j DROP
iptables -A FORWARD -i wan0 -p udp --dport 7547 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.