CVE-2020-15025

Name: CVE-2020-15025
Creator: NVD / NIST
Published: 2020-06-24T19:15:10.147+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 4.9/10EPSS 3.36%

Last modified Jun 17, 2026

CVE-2020-15025 is a medium-severity vulnerability rated 4.9/10 on the CVSS scale. ntpd in ntp 4.2.8 before 4.2.8p15 and 4.3.x before 4.3.101 allows remote attackers to cause a denial of service (memory consumption) by sending packets, because memory is not freed in situations where a CMAC key is used and associated with a CMAC algorithm in the ntp.keys file.. EPSS estimates a 3.36% chance of exploitation in the next 30 days.

Description

ntpd in ntp 4.2.8 before 4.2.8p15 and 4.3.x before 4.3.101 allows remote attackers to cause a denial of service (memory consumption) by sending packets, because memory is not freed in situations where a CMAC key is used and associated with a CMAC algorithm in the ntp.keys file.

Metrics

CVSS 3.1

4.9/10

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

3.36%

87.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-401

Affected Software

Vendor	Product	Versions	Update
Ntp	Ntp	>= 4.3.97, < 4.3.101	—
Ntp	Ntp	4.2.8	P11
Opensuse	Leap	15.1	—
Opensuse	Leap	15.2	—
Netapp	Cloud Backup	All versions	—
Netapp	Steelstore Cloud Integrated Storage	All versions	—
Netapp	8300 Firmware	All versions	—
Netapp	8700 Firmware	All versions	—
Netapp	A400 Firmware	All versions	—
Netapp	H410c Firmware	All versions	—
Netapp	H300s Firmware	All versions	—
Netapp	H500s Firmware	All versions	—
Netapp	H700s Firmware	All versions	—
Netapp	H300e Firmware	All versions	—
Netapp	H500e Firmware	All versions	—
Netapp	H700e Firmware	All versions	—
Netapp	H410s Firmware	All versions	—
Oracle	Zfs Storage Appliance Kit	8.8	—

References

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00005.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00044.htmlMailing List, Third Party Advisory
https://bugs.gentoo.org/729458Issue Tracking, Third Party Advisory
https://security.gentoo.org/glsa/202007-12Third Party Advisory
https://security.netapp.com/advisory/ntap-20200702-0002/Third Party Advisory
https://support.ntp.org/bin/view/Main/NtpBug3661Vendor Advisory
https://support.ntp.org/bin/view/Main/SecurityNotice#June_2020_ntp_4_2_8p15_NTP_ReleaRelease Notes, Vendor Advisory
https://www.oracle.com/security-alerts/cpujan2021.htmlPatch, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00005.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00044.htmlMailing List, Third Party Advisory
https://bugs.gentoo.org/729458Issue Tracking, Third Party Advisory
https://security.gentoo.org/glsa/202007-12Third Party Advisory
https://security.netapp.com/advisory/ntap-20200702-0002/Third Party Advisory
https://support.ntp.org/bin/view/Main/NtpBug3661Vendor Advisory
https://support.ntp.org/bin/view/Main/SecurityNotice#June_2020_ntp_4_2_8p15_NTP_ReleaRelease Notes, Vendor Advisory
https://www.oracle.com/security-alerts/cpujan2021.htmlPatch, Third Party Advisory

Timeline

Published: Jun 24, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-15025?

How severe is CVE-2020-15025?

CVE-2020-15025 has a CVSS score of 4.9/10 (MEDIUM severity). The EPSS model estimates a 3.36% probability of exploitation in the next 30 days.

How do I fix CVE-2020-15025?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-15025?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST