SB2025080418 - Multiple vulnerabilities in Alpine iLX-507
Published: August 4, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 secuirty vulnerabilities.
1) Stack-based buffer overflow (CVE-ID: CVE-2025-8472)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the parsing of vCard data. A remote user on the local network can trick a victim to connect to a malicious Bluetooth device, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Stack-based buffer overflow (CVE-ID: CVE-2025-8477)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the parsing of vCard data. A remote user on the local network can trick a victim to connect to a malicious Bluetooth device, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Command Injection (CVE-ID: CVE-2025-8480)
The vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to insufficient input validation within the Tidal music streaming application. A remote attacker on the local network can pass specially crafted data to the application and execute arbitrary commands.
4) Improper Certificate Validation (CVE-ID: CVE-2025-8476)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to improper certificate validation within the TIDAL music streaming application. A remote attacker on the local network can execute arbitrary code on the target system.
5) Stack-based buffer overflow (CVE-ID: CVE-2025-8475)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the implementation of the AVRCP protocol. A remote user on the local network can trick a victim to connect to a malicious Bluetooth device, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
6) Stack-based buffer overflow (CVE-ID: CVE-2025-8474)
The vulnerability allows a local attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the implementation of the Apple CarPlay protocol. An attacker with physical access can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
7) Command Injection (CVE-ID: CVE-2025-8473)
The vulnerability allows a local user to execute arbitrary commands on the system.
The vulnerability exists due to insufficient input validation within the UPDM_wstpCBCUpdStart function. An authenticated attacker with physical access can pass specially crafted data to the application and execute arbitrary commands.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://www.zerodayinitiative.com/advisories/ZDI-25-761/
- https://www.zerodayinitiative.com/advisories/ZDI-25-767/
- https://www.zerodayinitiative.com/advisories/ZDI-25-766/
- https://www.zerodayinitiative.com/advisories/ZDI-25-765/
- https://www.zerodayinitiative.com/advisories/ZDI-25-764/
- https://www.zerodayinitiative.com/advisories/ZDI-25-763/
- https://www.zerodayinitiative.com/advisories/ZDI-25-762/