CVE-2025-67780_CVE-2025-67780

4.2 / 10

MEDIUM

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

Description

SpaceX Starlink Dish devices with firmware 2024.12.04.mr46620 (e.g., on Mini1_prod2) allow administrative actions via unauthenticated LAN gRPC requests, aka MARMALADE 2. The cross-origin policy can be bypassed by omitting a Referer header. In some cases, an attacker's ability to read tilt, rotation, and elevation data via gRPC can make it easier to infer the geographical location of the dish.

Basic Information

ID CVE-2025-67780

Source mitre

Published Dec 11, 2025 at 23:05

Modified Dec 11, 2025 at 23:12

Affected Product

Vendor SpaceX

Product Starlink Dish

Version 2024.12.04.mr46620

Affected Versions SpaceX Starlink Dish 2024.12.04.mr46620

CWE Classification

CWE-306

References

www.akawlabs.com /blog/starlink-grpc-execution

{
    "lastseen": "",
    "description": "SpaceX Starlink Dish devices with firmware 2024.12.04.mr46620 (e.g., on Mini1_prod2) allow administrative actions via unauthenticated LAN gRPC requests, aka MARMALADE 2. The cross-origin policy can be bypassed by omitting a Referer header. In some cases, an attacker's ability to read tilt, rotation, and elevation data via gRPC can make it easier to infer the geographical location of the dish.",
    "published": "2025-12-11T23:05:44.156Z",
    "modified": "2025-12-11T23:12:58.232Z",
    "type": "cve",
    "title": "CVE-2025-67780",
    "source": "mitre",
    "references": "https://www.akawlabs.com/blog/starlink-grpc-execution",
    "id": "CVE-2025-67780",
    "bulletinFamily": "",
    "cwe": [
        "CWE-306"
    ],
    "cvelist": null,
    "sourceData": "SpaceX Starlink Dish 2024.12.04.mr46620",
    "sourceHref": "",
    "cvss": {
        "score": 4.2,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Starlink Dish",
    "version": "2024.12.04.mr46620",
    "vendor": "SpaceX",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}