CVE-2025-55102 Overview
A denial-of-service vulnerability exists in the NetX IPv6 component functionality of Eclipse ThreadX NetX Duo. The vulnerability can be triggered when a specially crafted network packet of "Packet Too Big" with more than 15 different source addresses is processed by the affected component. An attacker can send a malicious packet to trigger this vulnerability, leading to denial of service conditions on affected devices.
Critical Impact
This vulnerability allows remote attackers to cause denial of service on IoT devices and embedded systems running Eclipse ThreadX NetX Duo without requiring authentication or user interaction.
Affected Products
- Eclipse ThreadX NetX Duo (IPv6 component)
- Embedded systems and IoT devices utilizing NetX Duo networking stack
- Real-time operating systems implementing ThreadX NetX Duo
Discovery Timeline
- 2026-01-27 - CVE-2025-55102 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2025-55102
Vulnerability Analysis
This denial-of-service vulnerability stems from improper handling of ICMPv6 "Packet Too Big" messages within the NetX IPv6 component of Eclipse ThreadX NetX Duo. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption), indicating that the system fails to properly limit the resources consumed when processing malformed network packets.
The vulnerability is exploitable remotely over the network without requiring any authentication or user interaction. When successfully exploited, the attack results in a complete denial of service, disrupting the availability of the affected embedded system or IoT device.
Root Cause
The root cause of this vulnerability lies in the inadequate boundary checking when processing ICMPv6 "Packet Too Big" messages. Specifically, the IPv6 component does not properly validate or limit the number of different source addresses that can be processed within a single "Packet Too Big" message. When more than 15 different source addresses are included in such a packet, the system experiences resource exhaustion, leading to denial of service.
This represents a classic CWE-400 (Uncontrolled Resource Consumption) issue where input validation fails to enforce appropriate limits on resource allocation during packet processing.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker can craft a malicious ICMPv6 "Packet Too Big" packet containing more than 15 different source addresses and send it to a target device running the vulnerable Eclipse ThreadX NetX Duo stack.
The attack is relatively straightforward to execute:
- The attacker identifies a target device using Eclipse ThreadX NetX Duo with IPv6 enabled
- A specially crafted ICMPv6 "Packet Too Big" message is constructed with more than 15 source addresses
- The malicious packet is sent to the target device
- Upon processing the packet, the vulnerable component experiences resource exhaustion
- The target device becomes unresponsive, resulting in denial of service
For detailed technical information about this vulnerability, refer to the GitHub Security Advisory.
Detection Methods for CVE-2025-55102
Indicators of Compromise
- Unusual volume of ICMPv6 "Packet Too Big" messages targeting affected devices
- Network traffic containing malformed IPv6 packets with excessive source address entries
- Sudden unresponsiveness or crashes of IoT devices and embedded systems running ThreadX NetX Duo
- Repeated service restarts or watchdog timer triggers on affected embedded systems
Detection Strategies
- Monitor for ICMPv6 Type 2 (Packet Too Big) messages with anomalous payload sizes or structures
- Implement network intrusion detection rules to identify packets with more than 15 different source addresses in ICMPv6 messages
- Deploy deep packet inspection at network boundaries to analyze IPv6 traffic patterns
- Configure alerting for sudden availability issues on known ThreadX NetX Duo devices
Monitoring Recommendations
- Enable verbose logging on network infrastructure to capture IPv6 traffic anomalies
- Implement baseline monitoring for ICMPv6 traffic volumes to detect abnormal spikes
- Configure SIEM rules to correlate device unavailability with preceding network traffic patterns
- Monitor embedded device health metrics including CPU utilization and memory consumption
How to Mitigate CVE-2025-55102
Immediate Actions Required
- Review the official security advisory and apply vendor-provided patches immediately
- Segment affected embedded devices and IoT systems from untrusted network segments
- Implement network-level filtering to block malformed ICMPv6 packets at the perimeter
- Enable rate limiting for ICMPv6 traffic targeting vulnerable devices
- Inventory all systems running Eclipse ThreadX NetX Duo to identify exposure scope
Patch Information
Eclipse ThreadX has published a security advisory addressing this vulnerability. Organizations should consult the GitHub Security Advisory for official patch information and updated versions of NetX Duo that address this denial-of-service vulnerability.
Workarounds
- Disable IPv6 on affected devices if not required for operational purposes
- Implement strict firewall rules to filter ICMPv6 "Packet Too Big" messages from untrusted sources
- Deploy network-level rate limiting for ICMPv6 traffic to reduce attack surface
- Consider network segmentation to isolate vulnerable embedded devices from external attack vectors
# Example firewall rule to rate limit ICMPv6 Packet Too Big messages (ip6tables)
ip6tables -A INPUT -p icmpv6 --icmpv6-type packet-too-big -m limit --limit 10/sec --limit-burst 20 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type packet-too-big -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
