CVE-2025-29329
BaseFortify
Publication date: 2026-01-12
Last updated on: 2026-01-13
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sagemcom | f@st_3686 | From magyar_4.121.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling the ippprint (IPP) service on the Sagemcom F@st 3686 router if it is not needed, as the service is enabled by default and vulnerable. Additionally, restricting access to the IPP service from untrusted networks or applying network-level controls to block crafted HTTP requests targeting the 'Expect' header can reduce risk. Since the ippprint service does not automatically restart after crashing, monitoring for crashes and restarting the service manually may temporarily reduce exposure. Ultimately, applying a firmware update or patch from the vendor addressing this vulnerability would be the most effective mitigation, though no such update is mentioned in the resources. [1]
Can you explain this vulnerability to me?
This vulnerability is a buffer overflow in the Internet Printing Protocol (IPP) service called ippprint on the Sagemcom F@st 3686 router, version MAGYAR_4.121.0. It occurs because the ippprint service reads the 'Expect' HTTP header into a fixed-size 16-byte buffer using sscanf, but the header can be longer than 16 bytes. Sending an 'Expect' header longer than 16 bytes causes a buffer overflow, allowing an attacker to overwrite adjacent memory, including the return address on the stack. This can let the attacker redirect execution flow to malicious code and execute arbitrary code remotely within the local network. The ippprint binary lacks modern security protections like PIE, NX stack, and stack canaries, making exploitation easier. However, the IPP service does not restart automatically after crashing, and the current exploit has about a 10% success rate, which could be improved by combining with other bugs. [1]
How can this vulnerability impact me? :
This vulnerability can allow a remote attacker within the local network to execute arbitrary code on the affected Sagemcom F@st 3686 router. This means the attacker could potentially take control of the device, manipulate its functions, intercept or alter network traffic, or use the device as a foothold to attack other devices on the network. Such unauthorized access can lead to loss of confidentiality, integrity, and availability of network resources. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the ippprint service on the Sagemcom F@st 3686 router (version MAGYAR_4.121.0) is running and by sending crafted HTTP requests with an 'Expect' header longer than 16 bytes to test for buffer overflow behavior. Network scanning tools can be used to identify the IPP service on the device. For example, using curl or netcat to send a crafted HTTP request with a long 'Expect' header to the router's IPP port may help detect the vulnerability. Specific commands could include: 1) nmap -p 631 --script ipp-info <target_ip> to detect IPP service; 2) curl -v -H "Expect: <long string>" http://<target_ip>/ippprint to test the service response. However, no exact detection commands are provided in the resources. [1]