CVE-2025-1616
published 2025-02-24CVE-2025-1616: A vulnerability, which was classified as critical, has been found in FiberHome AN5506-01A ONU GPON RP2511. Affected by this issue is some unknown functionality…
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
8.74%
94.5th percentile
A vulnerability, which was classified as critical, has been found in FiberHome AN5506-01A ONU GPON RP2511. Affected by this issue is some unknown functionality of the component Diagnosis. The manipulation of the argument Destination Address leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fiberhome | an5506-01a_firmware | — | — |
| fiberhome | an5506-01a_onu_gpon | — | — |
| linux | linux_kernel | >= 5.10.0 < 5.10.247 | 5.10.247 |
| linux | linux_kernel | >= 5.11.0 < 5.15.197 | 5.15.197 |
| linux | linux_kernel | >= 5.16.0 < 6.1.159 | 6.1.159 |
| linux | linux_kernel | >= 6.13.0 < 6.17.10 | 6.17.10 |
| linux | linux_kernel | >= 6.2.0 < 6.6.118 | 6.6.118 |
| linux | linux_kernel | >= 6.7.0 < 6.12.60 | 6.12.60 |
| msrc | cbl2_vim_8.2.4925-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_vim_8.2.5064-1_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.05.8MEDIUMAV:N/AC:L/Au:M/C:P/I:P/A:P
vendor_msrc7.8HIGH
vendor_redhat6.7MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
mptcp: fix a race in mptcp_pm_del_add_timer()
osv·2025-12-04
CVE-2025-40257 mptcp: fix a race in mptcp_pm_del_add_timer()
mptcp: fix a race in mptcp_pm_del_add_timer()
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix a race in mptcp_pm_del_add_timer()
mptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, &entry->add_timer)
while another might have free entry already, as reported by syzbot.
Add RCU protection to fix this issue.
Also change confusing add_timer variable with stop_timer boolean.
syzbot report:
BUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616
Read of size 4 at addr ffff8880311e4150 by task kworker/1:1/44
CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Workqueue: events mptcp_worker
Call Tra
GHSA
GHSA-rhv9-gvq2-f88v: A vulnerability, which was classified as critical, has been found in FiberHome AN5506-01A ONU GPON RP2511
ghsa_unreviewed·2025-02-24
CVE-2025-1616 [MEDIUM] CWE-77 GHSA-rhv9-gvq2-f88v: A vulnerability, which was classified as critical, has been found in FiberHome AN5506-01A ONU GPON RP2511
A vulnerability, which was classified as critical, has been found in FiberHome AN5506-01A ONU GPON RP2511. Affected by this issue is some unknown functionality of the component Diagnosis. The manipulation of the argument Destination Address leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Red Hat
vim: vim xxd xxd.c main buffer overflow
vendor_redhat·2025-08-24·CVSS 4.8
CVE-2025-9390 [MEDIUM] CWE-120 vim: vim xxd xxd.c main buffer overflow
vim: vim xxd xxd.c main buffer overflow
A security flaw has been discovered in vim up to 9.1.1615. Affected by this vulnerability is the function main of the file src/xxd/xxd.c of the component xxd. The manipulation results in buffer overflow. The attack requires a local approach. The exploit has been released to the public and may be exploited. Upgrading to version 9.1.1616 addresses this issue. The patch is identified as eeef7c77436a78cd27047b0f5fa6925d56de3cb0. It is recommended to upgrade the affected component.
A vulnerability was found in the xxd component of Vim in the main function of src/xxd/xxd.c. This flaw allows a local attacker to trigger a buffer overflow, which leads to a denial of service.
Statement: This vulnerability is marked MODERATE for a few reasons: first, because
Microsoft
Use after free in append_command in vim/vim
vendor_msrc·2022-05-10·CVSS 7.8
CVE-2022-1616 [HIGH] CWE-416 Use after free in append_command in vim/vim
Use after free in append_command in vim/vim
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
@huntrdev: @huntrdev
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.mic
No detection rules found.
No public exploits indexed.
2025-02-24
Published