Net-SNMP is an open-source implementation of the Simple Network Management Protocol (SNMP), a widely used standard for managing devices on IP networks, including tools like the snmptrapd daemon for handling SNMP trap messages.
A prominent recent vulnerability in Net-SNMP, tracked as CVE-2025-68615, is a critical stack-based buffer overflow in the snmptrapd service. This flaw allows remote, unauthenticated attackers to execute arbitrary code by sending a specially crafted SNMP trap packet to the service, which typically listens on UDP port 162. The issue stems from improper validation of user-supplied data length before copying it into a fixed-size stack buffer, potentially leading to denial-of-service (DoS) crashes or full remote code execution (RCE) in the context of the service account.
Key Details
• Severity: Critical (CVSS v3.1 base score: 9.8/10), due to its network-accessible nature, low complexity, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability.
• Affected Versions: All versions prior to 5.9.5 and 5.10.pre2. This affects many Linux distributions, network devices, and monitoring systems that rely on Net-SNMP for SNMP functionality.
• Exploitation: Attackers can trigger it remotely over the network with minimal effort, making it a high-risk threat to exposed SNMP services in enterprise environments.
Remediation
• Upgrade immediately to Net-SNMP version 5.9.5 or later (or 5.10.pre2 for development branches).
• As interim mitigations, firewall UDP port 162 to restrict access only to trusted sources, disable unnecessary SNMP trap handling, or monitor for anomalous traffic to the service.
• Check vendor-specific patches if using bundled Net-SNMP in appliances or OS distributions.
Net-SNMP has had other vulnerabilities historically, such as heap corruptions and denial-of-service issues in earlier versions (e.g., CVE-2018-18074), but CVE-2025-68615 stands out for its severity and potential for widespread impact on global network infrastructure. Organizations should scan for exposed instances using tools like Nmap and prioritize patching.