CVE-2025-0728 – An integer underflow vulnerability in NetX HTTP... (How to Fix)

Q: What is the severity of CVE-2025-0728?

CVE-2025-0728 has a CVSS score of 7.5 (HIGH). An integer underflow vulnerability in NetX HTTP server functionality of Eclipse ThreadX NetX Duo allows attackers to cause denial of service by sending specially crafted HTTP packets with mismatched Content-Length and data size. This affects systems using NetX Duo HTTP server with PUT support enabled before version 6.4.2.

📋 TL;DR

An integer underflow vulnerability in NetX HTTP server functionality of Eclipse ThreadX NetX Duo allows attackers to cause denial of service by sending specially crafted HTTP packets with mismatched Content-Length and data size. This affects systems using NetX Duo HTTP server with PUT support enabled before version 6.4.2.

💻 Affected Systems

Products:

Eclipse ThreadX NetX Duo

Versions: All versions before 6.4.2

Operating Systems: Any OS using NetX Duo (commonly embedded/RTOS systems)

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when HTTP PUT functionality is enabled; GET/POST requests are not affected.

📦 What is this software?

Threadx Netx Duo by Eclipse

View all CVEs affecting Threadx Netx Duo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for the HTTP server component, potentially crashing the service or causing resource exhaustion on embedded systems.

🟠

Likely Case

HTTP server becomes unresponsive or crashes, disrupting web services on affected devices.

🟢

If Mitigated

Minimal impact if PUT support is disabled or proper input validation is implemented.

🌐 Internet-Facing: HIGH - Internet-facing HTTP servers with PUT enabled are directly exploitable by remote attackers.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but require network access; risk depends on internal threat landscape.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting specific HTTP packets but no authentication is needed; attacker needs network access to HTTP server.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.4.2

Vendor Advisory: https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-hqp7-4q26-6wqf

Restart Required: No

Instructions:

1. Update NetX Duo library to version 6.4.2 or later. 2. Recompile and redeploy affected applications. 3. Verify HTTP PUT functionality works correctly after update.

🔧 Temporary Workarounds

Disable HTTP PUT Support

all

Disable HTTP PUT method in NetX Duo HTTP server configuration to prevent exploitation.

Modify HTTP server configuration to disable PUT method (specific implementation varies by system)

🧯 If You Can't Patch

Disable HTTP PUT functionality in server configuration.
Implement network filtering to block or monitor HTTP PUT requests to vulnerable systems.

🔍 How to Verify

Check if Vulnerable:

Check NetX Duo library version; if below 6.4.2 and HTTP PUT is enabled, system is vulnerable.

Check Version:

Check build configuration or source code for NX_DUO_VERSION; should be >= 0x00060402

Verify Fix Applied:

Verify NetX Duo version is 6.4.2 or later and test HTTP PUT functionality with malformed requests.

📡 Detection & Monitoring

Log Indicators:

HTTP server crash logs
Unusual HTTP PUT requests with mismatched Content-Length headers
Resource exhaustion warnings

Network Indicators:

HTTP PUT requests with Content-Length smaller than actual data size
Multiple failed HTTP requests to same endpoint

SIEM Query:

http.method:PUT AND (http.content_length < content_size_estimate) OR http.server contains "NetX"

📊 Metadata

CVE ID: CVE-2025-0728

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-191

EPSS Score: 0.13% exploit probability (32.9th percentile)

Published: February 21, 2025

Last Updated: July 31, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0728, you might also want to check these: