LiveActive security incident?Get immediate response
CVE Record

CVE-2019-14201: An issue was discovered in Das U-Boot through 2019.07.

An issue was discovered in Das U-Boot through 2019.07. There is a stack-based buffer overflow in this nfs_handler reply helper function: nfs_lookup_reply.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

CVE-2019-14201 is a stack-based buffer overflow in Das U-Boot through 2019.07, affecting NFS reply handling. Business risk is highest for embedded or industrial devices that boot or recover over NFS. The bundle does not provide CVSS scoring, confirmed exploitation, or a universal product list.

Executive priority

Treat this as a targeted firmware exposure issue, not a broad internet software patch cycle. Prioritize environments with U-Boot-based devices, NFS boot, industrial systems, or vendor advisories. Lack of KEV evidence lowers immediate incident assumptions but not remediation priority for reachable boot paths.

Technical view

The flaw is in the U-Boot nfs_handler reply helper nfs_lookup_reply. The cited Semmle source characterizes the issue as an NFS-related U-Boot RCE vulnerability, but this bundle does not include exploit details, CVSS metrics, or a complete affected-vendor matrix.

Likely exposure

Exposure is most likely in embedded, appliance, OT, or industrial systems using Das U-Boot through 2019.07, especially where NFS boot paths are enabled or reachable. Siemens issued a product advisory, so product-specific exposure should be checked against vendor guidance.

Exploitation context

No CISA KEV listing is provided and the source bundle does not cite active exploitation. Risk depends on whether an attacker can interact with vulnerable U-Boot NFS boot or recovery behavior, which is typically environment-specific.

Researcher notes

The public bundle identifies the vulnerable function and version range, but lacks CVSS, CWE, exploit status, and complete affected products. Avoid extrapolating beyond U-Boot through 2019.07 and vendor advisories. Focus research on firmware provenance, boot configuration, and product-specific advisory mapping.

Mitigation direction

  • Inventory devices and firmware using Das U-Boot through 2019.07.
  • Check U-Boot, device vendor, and Siemens guidance for fixed firmware.
  • Disable unnecessary NFS boot or recovery paths where operationally possible.
  • Restrict boot-time network services to trusted management networks.
  • Prioritize firmware updates for exposed or safety-critical devices.

Validation and detection

  • Confirm bootloader version from vendor firmware records or device inventory.
  • Review whether NFS boot or recovery is enabled on affected devices.
  • Map reachable management and boot networks for those devices.
  • Check vendor advisories for exact affected models and firmware levels.
  • Validate remediation in staging before updating critical equipment.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2019-14201 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
4Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
siemens-SADPADP container

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.