CVE-2025-49490 is a resource leak vulnerability identified in the ASR180x router series, specifically affecting the Falcon_Linux, Kestrel, and Lapwing_Linux products prior to version 1536. The vulnerability is rooted in improper resource shutdown or release, categorized under CWE-404. It is located in the router's SMS handling component, specifically within the source file router/sms/sms.c. The flaw allows resources, such as memory or file handles, to remain allocated after their intended use, leading to resource exhaustion over time. This can degrade router performance or cause denial of service (DoS) conditions due to resource depletion. The CVSS v3.1 base score is 5.4, indicating a medium severity level. The vector details indicate that the vulnerability can be exploited remotely (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) but no user interaction (UI:N). The impact primarily affects availability (A:L) with limited confidentiality impact (C:L) and no integrity impact (I:N). No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability's exploitation would likely involve sending crafted SMS messages or commands to the router's SMS processing subsystem to trigger the resource leak, which could eventually lead to service disruption or degraded network performance.

For European organizations relying on ASR180x routers running Falcon_Linux, Kestrel, or Lapwing_Linux, this vulnerability poses a risk of network instability and potential denial of service. Resource leaks can accumulate over time, causing routers to exhaust critical system resources, leading to degraded performance or crashes. This can disrupt business operations, especially for organizations with high dependency on continuous network availability such as financial institutions, telecommunications providers, and critical infrastructure operators. The limited confidentiality impact reduces the risk of data exposure; however, the availability impact can indirectly affect data integrity and operational continuity. Given the medium severity and the requirement for low privilege access, attackers with some network access could exploit this vulnerability to degrade service quality or cause outages, potentially impacting service level agreements and regulatory compliance requirements in Europe.

Organizations should prioritize upgrading affected ASR180x routers to version 1536 or later once the vendor releases a patch addressing CVE-2025-49490. Until patches are available, network administrators should implement strict access controls to limit low-privilege access to router management interfaces and SMS processing components. Monitoring resource utilization metrics on routers can help detect abnormal resource consumption indicative of exploitation attempts. Network segmentation and firewall rules should restrict unsolicited SMS or management traffic to these devices. Additionally, deploying anomaly detection systems to identify unusual patterns in SMS handling or router performance degradation can provide early warning signs. Regular firmware audits and vulnerability scanning should be integrated into the security lifecycle to ensure timely detection of similar issues. Finally, organizations should engage with the vendor for timely updates and advisories.