Out-of-Bounds Read Vulnerability in ASR1903 and ASR3901 by ASR Micro
CVE-2025-13735

7.4HIGH

Key Information:

Vendor: Asr
Status: Lapwing Linux
Vendor: CVE Published:; 26 November 2025

What is CVE-2025-13735?

An out-of-bounds read vulnerability exists in the ASR1903 and ASR3901 devices running ASR Lapwing_Linux due to improper handling of memory access in the nr_fw modules, particularly within the program files located at Code/nr_fw/DLP/src/NrCgi.C. This flaw can potentially expose sensitive data and lead to unauthorized information leakage if exploited. The issue is present in versions prior to the specified timeframe of November 26, 2025.

Affected Version(s)

Lapwing_Linux Linux 0 < 2025/11/26

References

https://www.asrmicro.com/en/goods/psirt?cid=41

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 26, 2025
Vulnerability Reserved
Nov 26, 2025

CVE-2025-13735 Data

JSON

Asr

What is CVE-2025-13735?

Affected Version(s)

References

CVSS V3.1

Timeline