CVE-2025-63927

low-risk

Published 2025-11-12

A heap-use-after-free vulnerability exists in airpig2011 IEC104 thru Commit be6d841 (2019-07-08). During multi-threaded client execution, the function Iec10x_Scheduled can access memory that has already been freed, potentially causing program crashes or undefined behavior. This may be exploited to trigger a denial-of-service or memory corruption.

Do I need to act?

0.03% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.0/10 Medium

LOCAL / LOW complexity

Affected Products (1)

Iec104

Affected Vendors

Airpig2011

References (2)

Exploit https://github.com/airpig2011/IEC104/issues/20

Exploit https://songsong.host/mybugs/CVE-2025-63927.html

/ 100

low-risk

Severity 14/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal