CVE-2025-49163: Arris VIP1113 devices through 2025-05-30 with KreaTV SDK allow booting an arbitrary image via a crafted /usr/bin/gunzip file.
6.7
CVSS
Description
Arris VIP1113 devices through 2025-05-30 with KreaTV SDK allow booting an arbitrary image via a crafted /usr/bin/gunzip file.
Classification
CVE ID: CVE-2025-49163
CVSS Base Severity: MEDIUM
CVSS Base Score: 6.7
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Problem Types
CWE-424 Improper Protection of Alternate PathAffected Products
Vendor: Arris
Product: VIP1113
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.02% (probability of being exploited)
EPSS Percentile: 2.15% (scored less or equal to compared to others)
EPSS Date: 2025-06-08 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-49163https://full-disclosure.eu/reports/2025/FDEU-CVE-2025-1c00-arris-bootloader-shell-injection.html