A recently identified vulnerability in the ISC Kea DHCP server, designated as CVE-2025-40779, poses a significant threat to network infrastructures globally. This flaw enables remote attackers to crash DHCP services by sending a single maliciously crafted packet, potentially disrupting network operations across entire organizations.
Affected Versions and Impact
The vulnerability affects multiple versions of the Kea DHCP server, specifically versions 2.7.1 through 2.7.9, 3.0.0, and 3.1.0. Network administrators utilizing these versions are at immediate risk of denial-of-service (DoS) attacks that require no authentication or special privileges to execute.
Technical Details
The root cause of this vulnerability lies in an assertion failure within the kea-dhcp4 process. This failure occurs when specific client options interact with the subnet selection mechanism. If a DHCPv4 client sends a request containing particular option combinations and the Kea server cannot locate an appropriate subnet for that client, the service terminates unexpectedly due to a fatal assertion error.
Notably, this vulnerability is triggered exclusively by unicast messages sent directly to the Kea server. Broadcast DHCP messages, which constitute normal network traffic, do not exploit this flaw. This specificity indicates that attackers could deliberately target DHCP servers with precisely crafted unicast packets designed to exploit this weakness.
Severity Assessment
The Common Vulnerability Scoring System (CVSS) has assigned this flaw a score of 7.5, categorizing it as high severity. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H indicates that the vulnerability can be exploited remotely with low complexity, requires no privileges or user interaction, and results in a high impact on availability.
Discovery and Acknowledgments
This vulnerability was discovered through collaborative security research. Acknowledgments go to Jochen M., Martin Dinev from Trading212, Ashwani Kumar from the Post Graduate Institute of Medical Education & Research in Chandigarh, India, Bret Giddings from the University of Essex, and Florian Ritterhoff from Munich University of Applied Sciences.
Mitigation Measures
To address this critical vulnerability, ISC has released patched versions. Organizations are urged to upgrade immediately to Kea version 3.0.1 or 3.1.1, depending on their current deployment. No workarounds exist for this vulnerability, making immediate patching the only viable defense strategy.
Network administrators should prioritize this update, as DHCP services are critical infrastructure components. A successful attack could render entire network segments unable to obtain IP addresses, effectively causing widespread connectivity outages.
Broader Context
This vulnerability underscores the importance of maintaining up-to-date software and implementing robust security measures. Similar vulnerabilities have been identified in other DHCP implementations. For instance, researchers at Akamai unveiled a technique that exploits the Dynamic Host Configuration Protocol (DHCP) administrators group to escalate privileges within Active Directory environments, potentially putting millions of Windows domains at risk. This technique does not exploit a vulnerability in the traditional sense but abuses legitimate features, making it a particularly insidious threat.
Additionally, a critical security vulnerability was found in TP-Link VN020-F3v(T) routers with firmware version TT_V6.2.1021. This flaw allows attackers to exploit a stack-based buffer overflow by sending specially crafted DHCP DISCOVER packets, which can cause the router to crash and become unresponsive. The impact of this vulnerability includes a confirmed Denial of Service (DoS), with the potential for Remote Code Execution (RCE).
Conclusion
The discovery of CVE-2025-40779 in the Kea DHCP server highlights the ongoing challenges in securing network infrastructure components. Organizations must remain vigilant, promptly apply security patches, and continuously monitor their systems to mitigate potential threats. While there are no known active exploits of this vulnerability at present, the simplicity of the attack vector makes it an attractive target for malicious actors seeking to disrupt network operations.
