CVE-2025-0658 - Vulnerability Details - OpenCVE

A vulnerability in Automated Logic and Carrier's Zone Controller via BACnet protocol causes the device to crash. The device enters a fault state; after a reset, a second packet can leave it permanently unresponsive until a manual power cycle is performed.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Automated Logic	Zone Controllers
Carrier	Zone Controllers

No data.

No data.

References

Link	Providers
https://https://www.corporate.carrier.com/product-security/advisories-resources/

History

Thu, 27 Nov 2025 01:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability in Automated Logic and Carrier's Zone Controller via BACnet protocol causes the device to crash. The device enters a fault state; after a reset, a second packet can leave it permanently unresponsive until a manual power cycle is performed.
Title		Automated Logic and Carrier Zone Controllers malformed packets denial of service
First Time appeared		Automated Logic Automated Logic zone Controllers Carrier Carrier zone Controllers
Weaknesses		CWE-20
CPEs		cpe:2.3:a:automated_logic:zone_controllers:::::::: cpe:2.3:a:carrier:zone_controllers::::::::
Vendors & Products		Automated Logic Automated Logic zone Controllers Carrier Carrier zone Controllers
References		https://https://www.corporate.carrier.com/product-security/advisories-resources/
Metrics		cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: Carrier

Published: 2025-11-27T01:00:16.431Z

Updated: 2025-11-27T01:00:16.431Z

Reserved: 2025-01-22T20:22:16.305Z

Link: CVE-2025-0658

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-11-27T01:15:46.583

Modified: 2025-11-27T01:15:46.583

Link: CVE-2025-0658

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-0658", "assignerOrgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f", "state": "PUBLISHED", "assignerShortName": "Carrier", "dateReserved": "2025-01-22T20:22:16.305Z", "datePublished": "2025-11-27T01:00:16.431Z", "dateUpdated": "2025-11-27T01:00:16.431Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Zone Controllers", "vendor": "Automated Logic", "versions": [{"lessThan": "6.06-101", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Zone Controllers", "vendor": "Carrier", "versions": [{"lessThan": "6.06-101", "status": "affected", "version": "0", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:automated_logic:zone_controllers:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.06-101", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:carrier:zone_controllers:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.06-101", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "reporter", "value": "Christopher Morales Gonzalez"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A vulnerability in Automated Logic and Carrier's Zone Controller via BACnet protocol\ncauses the device to crash. The device enters a fault state; after a reset,\na second packet can leave it permanently unresponsive until a manual power cycle\nis performed."}], "value": "A vulnerability in Automated Logic and Carrier's Zone Controller\u00a0via BACnet protocol\ncauses the device to crash. The device enters a fault state; after a reset,\na second packet can leave it permanently unresponsive until a manual power cycle\nis performed."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f", "shortName": "Carrier", "dateUpdated": "2025-11-27T01:00:16.431Z"}, "references": [{"url": "https://https://www.corporate.carrier.com/product-security/advisories-resources/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The fix for this vulnerability has been released in\nfirmware driver version 6.06-101 and later for both Automated Logic and Carrier\nZone controllers.</p>\n\n\n\n\n\n<br>"}], "value": "The fix for this vulnerability has been released in\nfirmware driver version 6.06-101 and later for both Automated Logic and Carrier\nZone controllers."}], "source": {"discovery": "UNKNOWN"}, "title": "Automated Logic and Carrier Zone Controllers malformed packets denial of service", "x_generator": {"engine": "Vulnogram 0.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in Automated Logic and Carrier's Zone Controller\u00a0via BACnet protocol\ncauses the device to crash. The device enters a fault state; after a reset,\na second packet can leave it permanently unresponsive until a manual power cycle\nis performed."}], "id": "CVE-2025-0658", "lastModified": "2025-11-27T01:15:46.583", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "productsecurity@carrier.com", "type": "Secondary"}]}, "published": "2025-11-27T01:15:46.583", "references": [{"source": "productsecurity@carrier.com", "url": "https://https://www.corporate.carrier.com/product-security/advisories-resources/"}], "sourceIdentifier": "productsecurity@carrier.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "productsecurity@carrier.com", "type": "Secondary"}]}