CVE-2025-62600
📋 TL;DR
This vulnerability in Fast DDS allows remote attackers to cause a denial-of-service (DoS) by sending specially crafted SPDP packets with modified DATA Submessage fields. When security mode is enabled, tampering with length fields in PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN triggers an integer overflow leading to out-of-memory conditions and process termination. Systems using vulnerable versions of Fast DDS with security features enabled are affected.
💻 Affected Systems
- Fast DDS (formerly Fast RTPS)
📦 What is this software?
Fast Dds by Eprosima
Fast Dds by Eprosima
Fast Dds by Eprosima
⚠️ Risk & Real-World Impact
Worst Case
Remote attackers can crash Fast-DDS processes, causing complete denial of service for DDS-based applications and disrupting real-time data distribution systems.
Likely Case
DoS attacks leading to service disruption in industrial control systems, robotics, autonomous vehicles, or IoT platforms using Fast DDS with security enabled.
If Mitigated
Limited impact if security mode is disabled or systems are behind firewalls with strict network controls.
🎯 Exploit Status
Exploitation requires sending crafted network packets to Fast DDS endpoints with security enabled. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.1, 3.3.1, or 2.6.11
Vendor Advisory: https://github.com/eProsima/Fast-DDS/security/advisories
Restart Required: Yes
Instructions:
1. Identify Fast DDS version. 2. Upgrade to patched version: 3.x users to 3.4.1 or 3.3.1, 2.x users to 2.6.11. 3. Recompile applications with updated library. 4. Restart all Fast DDS processes.
🔧 Temporary Workarounds
Disable Security Mode
allTemporarily disable Fast DDS security features if not required
Modify XML configuration to set <security><enabled>false</enabled></security>
Network Segmentation
linuxRestrict network access to Fast DDS endpoints
iptables -A INPUT -p tcp --dport 7400 -j DROP
iptables -A INPUT -p udp --dport 7400 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit who can communicate with Fast DDS endpoints
- Monitor for abnormal memory consumption or Fast DDS process crashes as early indicators of attack
🔍 How to Verify
Check if Vulnerable:
Check Fast DDS version and security configuration. Vulnerable if version < 3.4.1/3.3.1/2.6.11 AND security enabled.Check Version:
fastdds --version or check library version in application build configurationVerify Fix Applied:
Verify version is 3.4.1, 3.3.1, or 2.6.11 or higher, and test with security enabled under load.📡 Detection & Monitoring
Log Indicators:
- Fast DDS process crashes
- Out of memory errors in system logs
- Abnormal termination of DDS applications
Network Indicators:
- Unusual SPDP packets with modified DATA Submessage fields
- Traffic to Fast DDS ports (typically 7400) with malformed security tokens
SIEM Query:
process_name:"fastdds" AND (event_type:"crash" OR memory_usage:"high")🔗 References
- https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f
- https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b
- https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a
- https://security-tracker.debian.org/tracker/CVE-2025-62600
