CVE-2025-55082 – This vulnerability in NetX Duo's TLS implementa... (How to Fix)

Q: What is the severity of CVE-2025-55082?

CVE-2025-55082 has a CVSS score of 5.3 (MEDIUM). This vulnerability in NetX Duo's TLS implementation allows attackers to cause an out-of-bounds read by providing malformed PSK length in ClientHello messages. It affects systems using NetX Duo versions before 6.4.4 for TLS connections. The vulnerability could lead to information disclosure or denial of service.

📋 TL;DR

This vulnerability in NetX Duo's TLS implementation allows attackers to cause an out-of-bounds read by providing malformed PSK length in ClientHello messages. It affects systems using NetX Duo versions before 6.4.4 for TLS connections. The vulnerability could lead to information disclosure or denial of service.

💻 Affected Systems

Products:

Eclipse ThreadX NetX Duo

Versions: All versions before 6.4.4

Operating Systems: Any OS using NetX Duo library

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using TLS with PSK (Pre-Shared Key) authentication enabled.

📦 What is this software?

Threadx Netx Duo by Eclipse

View all CVEs affecting Threadx Netx Duo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution or complete system compromise through memory corruption leading to arbitrary code execution.

🟠

Likely Case

Denial of service through application crash or information disclosure of adjacent memory contents.

🟢

If Mitigated

Minimal impact if proper input validation and memory protections are in place.

🌐 Internet-Facing: MEDIUM - TLS servers accepting external connections are vulnerable to crafted ClientHello messages.

🏢 Internal Only: LOW - Internal TLS clients are less likely to receive malicious ClientHello messages.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires ability to send crafted TLS ClientHello messages to vulnerable TLS servers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.4.4

Vendor Advisory: https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-8h38-qjhh-mf2h

Restart Required: No

Instructions:

1. Update NetX Duo library to version 6.4.4 or later. 2. Recompile and redeploy applications using the updated library. 3. No service restart required for library update alone.

🔧 Temporary Workarounds

Disable PSK Authentication

all

Disable Pre-Shared Key authentication in TLS configuration if not required.

# Configure TLS to disable PSK: NX_SECURE_TLS_PSK_ENABLED=0

🧯 If You Can't Patch

Implement network filtering to block malicious TLS handshake patterns
Use application firewalls to inspect and validate TLS handshake messages

🔍 How to Verify

Check if Vulnerable:

Check NetX Duo library version in your application build configuration or source code.

Check Version:

# Check NetX Duo version in source: grep -r "NX_DUO_VERSION" source_code/

Verify Fix Applied:

Verify NetX Duo version is 6.4.4 or later in your application build.

📡 Detection & Monitoring

Log Indicators:

Application crashes during TLS handshake
Memory access violation errors in logs

Network Indicators:

Abnormal TLS ClientHello messages with malformed PSK extensions

SIEM Query:

event.category:network AND tls.handshake.type:client_hello AND (pskextension.length:>2048 OR pskextension.length:<0)

📊 Metadata

CVE ID: CVE-2025-55082

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-125

EPSS Score: 0.05% exploit probability (16.4th percentile)

Published: October 15, 2025

Last Updated: October 21, 2025

🔗 References

https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-8h38-qjhh-mf2h Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-55082, you might also want to check these: