CVE-2025-2260 – This vulnerability in Eclipse ThreadX NetX Duo'... (How to Fix)

Q: What is the severity of CVE-2025-2260?

CVE-2025-2260 has a CVSS score of 7.5 (HIGH). This vulnerability in Eclipse ThreadX NetX Duo's HTTP server allows attackers to cause denial of service through specially crafted packets. The issue stems from missing file closure during error conditions, causing 404 errors for subsequent file requests. Systems using NetX Duo HTTP server with PUT request support enabled are affected.

📋 TL;DR

This vulnerability in Eclipse ThreadX NetX Duo's HTTP server allows attackers to cause denial of service through specially crafted packets. The issue stems from missing file closure during error conditions, causing 404 errors for subsequent file requests. Systems using NetX Duo HTTP server with PUT request support enabled are affected.

💻 Affected Systems

Products:

Eclipse ThreadX NetX Duo

Versions: All versions before 6.4.3

Operating Systems: Any OS using NetX Duo (commonly embedded/IoT systems)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with HTTP server functionality enabled and PUT request support active.

📦 What is this software?

Threadx Netx Duo by Eclipse

View all CVEs affecting Threadx Netx Duo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete HTTP service disruption for all file requests after exploitation, requiring service restart to recover functionality.

🟠

Likely Case

HTTP server becomes unresponsive to file requests, affecting web services and applications relying on the HTTP server functionality.

🟢

If Mitigated

Minimal impact if PUT requests are disabled or the system is patched, with normal HTTP operations continuing uninterrupted.

🌐 Internet-Facing: HIGH - HTTP servers exposed to the internet are directly vulnerable to crafted packet attacks from any source.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this to disrupt HTTP services.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted packets to the HTTP server, which is straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.4.3

Vendor Advisory: https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-f42f-6fvv-xqx3

Restart Required: Yes

Instructions:

1. Update NetX Duo to version 6.4.3 or later. 2. Rebuild and redeploy applications using NetX Duo. 3. Restart affected services.

🔧 Temporary Workarounds

Disable PUT Request Support

all

Disable HTTP PUT method support in NetX Duo configuration to prevent exploitation.

Modify NetX Duo configuration to set NX_DISABLE_PUT_REQUEST=1 or equivalent

🧯 If You Can't Patch

Disable HTTP PUT request support in configuration
Implement network filtering to block malicious HTTP packets targeting the server

🔍 How to Verify

Check if Vulnerable:

Check NetX Duo version: if below 6.4.3 and HTTP server with PUT support is enabled, system is vulnerable.

Check Version:

Check application build configuration or source code for NX_VERSION define

Verify Fix Applied:

Verify NetX Duo version is 6.4.3 or higher and test HTTP file requests after sending error-triggering packets.

📡 Detection & Monitoring

Log Indicators:

Sudden increase in 404 errors for valid file requests
HTTP server error logs showing file handle exhaustion

Network Indicators:

Unusual HTTP PUT requests followed by 404 responses for GET requests
HTTP service becoming unresponsive to file requests

SIEM Query:

source="http_server" (status=404) AND (method=GET) | stats count by src_ip

📊 Metadata

CVE ID: CVE-2025-2260

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-459

EPSS Score: 0.15% exploit probability (35.5th percentile)

Published: April 6, 2025

Last Updated: July 31, 2025

🔗 References

https://github.com/eclipse-threadx/netxduo/commit/fb3195bbb6d0d6fe71a7a19585c008623c217f9e Patch
https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-f42f-6fvv-xqx3 Vendor Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2098 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2260, you might also want to check these: