CVE-2025-49480 is a high-severity vulnerability classified as CWE-125, an out-of-bounds read, affecting ASR's Falcon_Linux, Kestrel, and Lapwing_Linux products, specifically versions prior to v1536. The flaw resides in the LTE telephony component of ASR180x and ASR190x devices, within the LZMA compression implementation (apps/lzma/src/LzmaEnc.c). An out-of-bounds read occurs when the software reads memory outside the intended buffer bounds, potentially leading to information disclosure, data corruption, or triggering undefined behavior that could be leveraged for further exploitation. The CVSS 3.1 base score of 7.4 indicates a high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), and scope change (S:C). The impact includes low confidentiality, integrity, and availability impacts individually, but combined with scope change, the overall effect is significant. No known exploits are currently reported in the wild, and no patches are linked yet, indicating a need for vigilance and proactive mitigation. The vulnerability affects critical telephony infrastructure components embedded in ASR's Linux-based products, which are likely used in telecommunications environments for LTE services.

For European organizations, especially telecom operators and infrastructure providers relying on ASR's Falcon_Linux, Kestrel, and Lapwing_Linux platforms, this vulnerability poses a significant risk. Exploitation could allow attackers to remotely read out-of-bounds memory, potentially leaking sensitive information such as cryptographic keys, configuration data, or user information. Given the scope change, the vulnerability could be leveraged to affect other components or escalate privileges, impacting the integrity and availability of LTE telephony services. Disruption or compromise of LTE infrastructure can degrade network reliability, affect end-user connectivity, and cause regulatory and reputational damage. Critical national infrastructure and emergency communication systems that depend on these platforms are particularly at risk. The lack of known exploits currently provides a window for mitigation before active attacks emerge.

European organizations should immediately identify deployments of ASR Falcon_Linux, Kestrel, and Lapwing_Linux products, focusing on versions prior to v1536. Until official patches are released, network-level mitigations such as strict access controls, segmentation of LTE telephony management interfaces, and monitoring for anomalous traffic patterns targeting the LZMA compression routines should be implemented. Employ intrusion detection/prevention systems (IDS/IPS) with updated signatures to detect potential exploitation attempts. Limit privileged access to affected systems and enforce multi-factor authentication to reduce the risk posed by the low privilege requirement. Coordinate with ASR for timely patch deployment once available and conduct thorough testing before production rollout. Additionally, perform memory integrity checks and audit logs for signs of exploitation attempts. Engage with telecom security communities to share intelligence and best practices for protecting LTE infrastructure.