CVE-2025-24975 is a high-severity vulnerability affecting FirebirdSQL, a relational database management system widely used for embedded and enterprise applications. The vulnerability arises from an improper check for unusual or exceptional conditions (CWE-754) related to the external connection pool configuration parameter ExtConnPoolSize. Specifically, if ExtConnPoolSize is set to a value other than 0, the Firebird server does not adequately verify the presence and suitability of the CryptCallback interface when connections are created and stored in the external connection pool (ExtConnPool). This improper validation can lead to a segmentation fault (segfault) in the server process. The segfault can occur in scenarios involving encrypted databases accessed via execute statements on external connections, where subsequent attachments may lack the necessary encryption key, as well as in unencrypted databases when execute statements are chained. This results in a potential denial of service (DoS) condition due to server crashes. The vulnerability affects Firebird versions prior to snapshot releases 4.0.6.3183, 5.0.2.1610, and 6.0.0.609, and corresponding point releases 4.0.6 and 5.0.2. The issue has been patched in these versions. A temporary mitigation involves setting ExtConnPoolSize to 0 in the firebird.conf configuration file, effectively disabling the external connection pool feature to prevent exploitation. The CVSS v3.1 base score is 7.1, reflecting high severity, with attack vector being network (AV:N), requiring high attack complexity (AC:H), low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality and integrity (C:H/I:H) with low impact on availability (A:L). No known exploits are reported in the wild as of the publication date.

For European organizations utilizing FirebirdSQL databases, this vulnerability poses a significant risk primarily in terms of availability and data integrity. The segmentation fault can cause unexpected server crashes, leading to denial of service conditions that disrupt business operations relying on database availability. More critically, the improper handling of encrypted databases may allow unauthorized access to encrypted data if an attachment can access a database without the proper encryption key, potentially compromising confidentiality and integrity of sensitive information. This is particularly concerning for sectors with strict data protection requirements such as finance, healthcare, and government institutions within Europe. The requirement for low privileges to exploit the vulnerability increases the risk, as attackers with limited access could trigger the fault remotely over the network. Although no active exploits are currently known, the high CVSS score and the nature of the flaw suggest that attackers could develop exploits, especially targeting environments where ExtConnPoolSize is not set to 0. The impact on confidentiality and integrity elevates the threat beyond a simple denial of service, making it critical for organizations to address this vulnerability promptly to maintain compliance with European data protection regulations such as GDPR and to safeguard critical infrastructure.

European organizations should immediately verify their FirebirdSQL configurations and upgrade to the patched versions 4.0.6.3183, 5.0.2.1610, 6.0.0.609 or later. If immediate patching is not feasible, setting ExtConnPoolSize to 0 in the firebird.conf file is an effective interim mitigation to disable the external connection pool and prevent the vulnerability from being triggered. Additionally, organizations should audit their use of encrypted databases and external execute statements to ensure proper key management and access controls are enforced. Network-level protections such as firewall rules limiting access to FirebirdSQL ports (default 3050) to trusted hosts can reduce exposure. Monitoring FirebirdSQL server logs for unusual crashes or segmentation faults can help detect attempted exploitation. Finally, organizations should implement strict privilege management to minimize the number of users with database access and regularly review and update their incident response plans to include scenarios involving database service disruptions.