CVE-2025-55102
📋 TL;DR
This CVE describes a denial-of-service vulnerability in Eclipse ThreadX NetX Duo's IPv6 component where sending a specially crafted 'Packet Too Big' ICMPv6 message with more than 15 different source addresses can crash or hang the system. This affects any device running vulnerable versions of NetX Duo that processes IPv6 network traffic. The vulnerability requires network access to the target system.
💻 Affected Systems
- Eclipse ThreadX NetX Duo
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system crash or hang requiring manual reboot, disrupting all services on affected devices.
Likely Case
Temporary service disruption until system automatically recovers or is manually restarted.
If Mitigated
Minimal impact with proper network filtering and updated software.
🎯 Exploit Status
Exploitation requires sending crafted ICMPv6 packets to target IPv6 address, which is straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check GitHub advisory for specific fixed version
Vendor Advisory: https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-f3rx-xrwm-q2rf
Restart Required: Yes
Instructions:
1. Update NetX Duo library to patched version. 2. Recompile and redeploy affected applications. 3. Restart systems using the updated library.
🔧 Temporary Workarounds
Filter ICMPv6 Packet Too Big messages
allConfigure network devices to filter or rate-limit ICMPv6 'Packet Too Big' messages to vulnerable systems.
# Example iptables rule for Linux: iptables -A INPUT -p ipv6-icmp --icmpv6-type 2 -j DROP
Disable IPv6 if not required
allDisable IPv6 functionality on systems where it's not needed for operation.
# Linux: sysctl -w net.ipv6.conf.all.disable_ipv6=1
# Windows: netsh interface ipv6 set state "Ethernet" disabled
🧯 If You Can't Patch
- Implement network segmentation to isolate vulnerable systems from untrusted networks
- Deploy intrusion prevention systems (IPS) to detect and block malicious ICMPv6 traffic patterns
🔍 How to Verify
Check if Vulnerable:
Check NetX Duo library version against advisory. Systems experiencing unexpected crashes after receiving ICMPv6 traffic may be vulnerable.Check Version:
# Check NetX Duo version in source code or build configurationVerify Fix Applied:
Verify NetX Duo library is updated to patched version and test with ICMPv6 traffic simulation.📡 Detection & Monitoring
Log Indicators:
- System crashes or hangs after network traffic
- ICMPv6 packet processing errors in system logs
Network Indicators:
- Multiple ICMPv6 'Packet Too Big' messages from varied source addresses to single target
SIEM Query:
source:firewall AND icmpv6.type:2 AND count(source_ip) > 15