CVE Alert: CVE-2025-11232 – ISC – Kea

Risk verdict

High severity DoS risk to Kea DHCP on network exposure, but currently no known exploits and exploitability requires specific default configuration settings.

Why this matters

If exploited, the issue can crash the DHCP service, causing client network connectivity failures and potential enterprise-wide outages on DHCP-dependent devices. The impact is direct on service availability, with potential knock-on effects to VPNs, VoIP, and bootstrapping of devices.

Most likely attack path

External attacker can trigger a remote DoS via network traffic to kea-dhcp4, without authentication, because the CVSS implies network access with low complexity and no user interaction. Exploitability hinges on three configuration preconditions being in their defaults; no DDNS updates are required, increasing precondition rigidity but not eliminating risk. In practice, automated scans could probe for default settings and attempts could cause the daemon to exit, leading to service disruption.

Who is most exposed

Deployments of Kea DHCP in data centres, campuses, or cloud environments where the DHCP service is reachable on shared networks are most at risk. Environments with default or legacy configurations (3.0.x/3.1.x in scope) are particularly relevant.

Detection ideas

• Frequent kea-dhcp4 process crashes or core dumps
• Unusual spikes in DHCP requests with anomalous option content
• Recurrent DHCP daemon restarts and elevated CPU during incidents
• Syslog/monitoring alerts showing abrupt service outages
• Correlation of outages with specific network segments

Mitigation and prioritisation

• Upgrade to patched releases: 3.0.2 or 3.1.3 across all instances
• Apply the workaround: set hostname-char-replacement to a non-empty value (e.g., "x")
• Review and tighten network exposure of DHCP servers; limit reachable segments
• Validate configuration defaults; consider disabling DDNS features if unused
• Schedule patch testing and deployment in line with change-management processes