CVE-2025-32398 – A NULL pointer dereference vulnerability in RT-... (How to Fix)

Q: What is the severity of CVE-2025-32398?

CVE-2025-32398 has a CVSS score of 7.5 (HIGH). A NULL pointer dereference vulnerability in RT-Labs P-Net library versions 1.0.1 and earlier allows remote attackers to crash industrial control system devices by sending specially crafted RPC packets. This affects any IO devices using the vulnerable P-Net library for industrial network communications.

📋 TL;DR

A NULL pointer dereference vulnerability in RT-Labs P-Net library versions 1.0.1 and earlier allows remote attackers to crash industrial control system devices by sending specially crafted RPC packets. This affects any IO devices using the vulnerable P-Net library for industrial network communications.

💻 Affected Systems

Products:

RT-Labs P-Net library
Industrial IO devices using P-Net protocol

Versions: 1.0.1 and earlier

Operating Systems: Embedded systems running P-Net stack

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any device using the vulnerable P-Net library implementation, regardless of specific vendor branding.

📦 What is this software?

P Net by Rt Labs

View all CVEs affecting P Net →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service in critical industrial control systems, potentially disrupting manufacturing processes, safety systems, or infrastructure operations.

🟠

Likely Case

Targeted IO device crashes requiring manual restart, causing temporary production interruptions in industrial environments.

🟢

If Mitigated

Isolated device failures with minimal operational impact due to redundancy and proper network segmentation.

🌐 Internet-Facing: MEDIUM - While industrial systems shouldn't be internet-facing, misconfigurations could expose them to remote attacks.

🏢 Internal Only: HIGH - Industrial networks often have flat architectures where this vulnerability could spread between devices.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to P-Net enabled devices but no authentication. The vulnerability is in protocol parsing.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check with device vendors for updated firmware

Vendor Advisory: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-32398

Restart Required: Yes

Instructions:

1. Contact device vendors for patched firmware. 2. Schedule maintenance window. 3. Backup configurations. 4. Apply firmware updates. 5. Verify functionality post-update.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate P-Net devices in separate VLANs with strict firewall rules

Traffic Filtering

all

Block unnecessary RPC traffic at network boundaries

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable devices
Deploy intrusion detection systems monitoring for abnormal P-Net traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check device firmware versions against vendor advisories. Use network scanners to identify P-Net protocol usage.

Check Version:

Vendor-specific commands vary. Typically check via device web interface or vendor management tools.

Verify Fix Applied:

Verify firmware version is updated beyond vulnerable versions. Test device stability with normal RPC traffic.

📡 Detection & Monitoring

Log Indicators:

Device crash/restart logs
Abnormal P-Net protocol errors
Unexpected device reboots

Network Indicators:

Malformed RPC packets to port 20000/udp (typical P-Net)
Unusual traffic patterns to industrial devices

SIEM Query:

source="industrial_devices" AND (event_type="crash" OR event_type="reboot") AND protocol="P-Net"

📊 Metadata

CVE ID: CVE-2025-32398

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.09% exploit probability (26.2th percentile)

Published: May 7, 2025

Last Updated: May 13, 2025

🔗 References

https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-32398 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-32398, you might also want to check these: