CVE-2025-7964 in Zigbee Stack
Summary
by MITRE • 01/30/2026
After receiving a
malformed 802.15.4 MAC Data Request
the Zigbee Coordinator sends a ‘network leave’ request to Zigbee router resulting in the Zigbee Router getting stuck in a non-rejoinable state. If a suitable parent is not available, the end devices will be unable to rejoin. A manual recommissioning is required to recover the Zigbee Router.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/30/2026
This vulnerability resides within Zigbee network protocols and specifically targets the 802.15.4 MAC layer implementation in Zigbee coordinator devices. The flaw manifests when a Zigbee coordinator receives a malformed MAC Data Request frame from a router node, which triggers an improper state transition in the network management logic. The vulnerability is categorized under CWE-121 as it involves improper handling of malformed input data leading to unexpected behavior in the network stack. The attack vector specifically targets the coordinator's response mechanism to network management frames, exploiting a lack of proper input validation and error handling in the MAC layer processing.
The technical implementation of this vulnerability stems from inadequate validation of incoming MAC frames within the coordinator's network management subsystem. When a malformed Data Request frame is received, the coordinator's state machine transitions incorrectly, causing it to initiate a network leave operation against the router node. This improper behavior creates a cascading effect where the router node is placed in a state where it cannot properly rejoin the network without manual intervention. The vulnerability essentially represents a failure in the coordinator's robustness against malformed network frames, which is a fundamental requirement for secure network protocol implementations.
The operational impact of this vulnerability extends beyond simple network disruption to create persistent device lockout conditions within Zigbee networks. End devices that lose connectivity due to this vulnerability become permanently non-rejoinable unless manually recommissioned, effectively removing them from network operation until administrative intervention occurs. This situation creates a significant risk for large-scale deployments where manual recommissioning of numerous devices becomes operationally burdensome. The vulnerability particularly affects residential and industrial automation systems where continuous network availability is critical, potentially leading to security gaps and service disruptions.
Network resilience and availability are fundamentally compromised by this vulnerability, as it creates a single point of failure that can disable entire network segments. The attack requires minimal sophistication to exploit, as it only requires sending a malformed 802.15.4 frame to a coordinator, making it accessible to threat actors with basic network knowledge. This vulnerability aligns with ATT&CK technique T1566.001 for initial access through malformed network protocols and T1490 for impact through network disruption. Organizations implementing Zigbee-based IoT solutions face significant operational risks, as the vulnerability can be exploited remotely if network interfaces are accessible, potentially leading to complete network partitioning and service degradation.
Mitigation strategies should focus on implementing robust input validation and error handling within coordinator implementations, particularly for MAC layer frames. Network segmentation and monitoring should be deployed to detect malformed frame patterns that could indicate exploitation attempts. Firmware updates addressing the specific state transition logic and implementing proper frame validation are essential. Additionally, network administrators should establish automated monitoring for router node status changes and implement procedures for rapid recovery from such incidents. The vulnerability underscores the importance of implementing proper protocol state machine validation and defensive programming practices in embedded network devices, as outlined in industry standards for secure embedded system design and network protocol implementation.