CVE-2025-66624
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2026-02-18

Assigner: GitHub, Inc.

Description
BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. Prior to 1.5.0.rc2, The npdu_is_expected_reply function in src/bacnet/npdu.c indexes request_pdu[offset+2/3/5] and reply_pdu[offset+1/2/4] without verifying that those APDU bytes exist. bacnet_npdu_decode() can return offset == 2 for a 2-byte NPDU, so tiny PDUs pass the version check and then get read out of bounds. On ASan/MPU/strict builds this is an immediate crash (DoS). On unprotected builds it is undefined behavior and can mis-route replies; RCE is unlikely because only reads occur, but DoS is reliable.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2025-12-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66624
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bacnetstack bacnet_stack 1.5.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or denial of service symptoms in devices using the BACnet Stack version 1.5.0.rc1, especially when processing MS/TP DATA_EXPECTING_REPLY frames with very small (2-byte) NPDU payloads. A proof-of-concept involves sending a crafted DATA_EXPECTING_REPLY frame carrying a minimal 2-byte NPDU (e.g., bytes 01 04) on the MS/TP bus to trigger the out-of-bounds read and cause a crash on ASan/MPU builds. Detection commands would involve capturing and analyzing MS/TP traffic for such minimal NPDU frames or using AddressSanitizer-enabled builds to detect stack-buffer-overflow crashes at npdu.c:702. Specific commands are not provided in the resources. [2]

Mitigation Strategies

Immediate mitigation steps include upgrading the BACnet Stack to version 1.5.0.rc2 or later, where the vulnerability is fixed by adding strict bounds checks on the lengths of request and reply PDUs before accessing their contents. If upgrading is not immediately possible, monitoring and filtering MS/TP traffic to block or detect malformed DATA_EXPECTING_REPLY frames with minimal NPDU lengths (e.g., 2-byte NPDUs) may reduce risk. Additionally, using builds with AddressSanitizer or MPU enabled can help detect exploitation attempts by causing immediate crashes rather than undefined behavior. [1, 2]

Executive Summary

This vulnerability exists in the BACnet Protocol Stack library before version 1.5.0.rc2. The npdu_is_expected_reply function reads certain bytes from request and reply PDUs without verifying if those bytes actually exist, leading to out-of-bounds reads. Specifically, bacnet_npdu_decode() can return an offset that allows tiny PDUs to pass version checks but then causes out-of-bounds memory reads. This can cause immediate crashes (denial of service) on protected builds or undefined behavior on unprotected builds.

Impact Analysis

The vulnerability can cause reliable denial of service (DoS) by crashing the application when processing certain BACnet PDUs. Although remote code execution is unlikely because only memory reads occur, the undefined behavior on unprotected builds could lead to mis-routing of replies, potentially disrupting communication.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66624. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart