How to fix CVE-2025-71263?

Within 24 hours: Confirm through asset inventory that no production or development systems run UNIX v4 (1973). Within 7 days: Document findings and close the vulnerability ticket if no affected systems are identified. Within 30 days: If any legacy systems running this OS are discovered in isolated environments, isolate them from network access or decommission as appropriate.

CVE-2025-71263

EUVD-2025-208655 HIGH

2026-03-13 mitre

7.4

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 13, 2026 - 19:00 vuln.today

EUVD ID Assigned

Mar 13, 2026 - 19:00 euvd

EUVD-2025-208655

CVE Published

Mar 13, 2026 - 18:38 nvd

HIGH 7.4

Description

In UNIX Fourth Research Edition (v4), the su command is vulnerable to a buffer overflow due to the 'password' variable having a fixed size of 100 bytes. A local user can exploit this to gain root privileges. It is unlikely that UNIX v4 is running anywhere outside of a very small number of lab environments.

Analysis

A buffer overflow vulnerability exists in the 'su' command of UNIX Fourth Research Edition (v4) from 1973, allowing local users to gain root privileges by overflowing a 100-byte password buffer. While this has a high CVSS score (7.4), it affects an ancient operating system that is extremely unlikely to be in production use today, existing only in historical computing labs or museums. No evidence of active exploitation exists (not in KEV), and the vulnerability was discovered as part of historical security research.

Technical Context

The vulnerability (CWE-120: Buffer Copy without Checking Size of Input) affects AT&T Bell Labs UNIX v4 (CPE: cpe:2.3:a:at&t_bell_labs:unix:*:*:*:*:*:*:*:*). The 'su' (switch user) command contains a fixed 100-byte buffer for password input that lacks bounds checking, allowing attackers to write beyond the buffer boundaries. This classic buffer overflow vulnerability predates modern security practices and protections like stack canaries, ASLR, or NX bit that would prevent exploitation on modern systems.

Affected Products

AT&T Bell Labs UNIX Fourth Research Edition (v4) from 1973. According to EUVD data, specifically affects 'UNIX 4'. The CPE identifier (cpe:2.3:a:at&t_bell_labs:unix:*:*:*:*:*:*:*:*) uses wildcards suggesting all versions, but the description and EUVD confirm this is specific to v4. No modern derivatives or distributions are affected.

Remediation

No patches exist or are necessary for this historical vulnerability. If somehow running UNIX v4 in 2025, the only remediation would be to migrate to a modern operating system. The references (sigma-star.at blog, TUHS mailing list, discuss.systems post, and spinellis.gr blog) appear to be security research discussions rather than vendor advisories. No vendor support exists for this 50+ year old operating system.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +37

POC: 0

CVE-2025-71263 vulnerability details – vuln.today

Back

CVE-2025-71263

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-71263

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code