CVE-2025-62601
📋 TL;DR
A heap buffer overflow vulnerability in Fast DDS allows remote attackers to terminate the Fast-DDS process by sending specially crafted SPDP packets when security mode is enabled. This affects all Fast DDS implementations using vulnerable versions before the patches. The vulnerability requires security mode to be enabled for exploitation.
💻 Affected Systems
- Fast DDS (formerly Fast RTPS)
📦 What is this software?
Fast Dds by Eprosima
Fast Dds by Eprosima
Fast Dds by Eprosima
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise if heap overflow can be weaponized beyond denial of service, though current analysis suggests termination is the primary outcome.
Likely Case
Remote denial of service causing Fast-DDS process termination, disrupting DDS communications in affected systems.
If Mitigated
No impact if security mode is disabled or systems are patched to fixed versions.
🎯 Exploit Status
Exploitation requires crafting SPDP packets with modified DATA Submessage fields, but no authentication is needed if network access is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.1, 3.3.1, or 2.6.11 depending on your version branch
Vendor Advisory: https://github.com/eProsima/Fast-DDS/security/advisories
Restart Required: Yes
Instructions:
1. Identify your Fast DDS version. 2. Upgrade to 3.4.1 (for 3.4.x), 3.3.1 (for 3.3.x), or 2.6.11 (for 2.6.x). 3. Restart all Fast DDS services and applications.
🔧 Temporary Workarounds
Disable Security Mode
allTemporarily disable Fast DDS security mode to prevent exploitation while planning patching
Modify Fast DDS configuration to set <security><enabled>false</enabled></security>
Network Segmentation
linuxRestrict network access to Fast DDS endpoints using firewalls
iptables -A INPUT -p tcp --dport 7400 -j DROP
iptables -A INPUT -p udp --dport 7400 -j DROP
🧯 If You Can't Patch
- Disable Fast DDS security mode in all configurations
- Implement strict network controls to limit access to Fast DDS endpoints (ports 7400 typically)
🔍 How to Verify
Check if Vulnerable:
Check Fast DDS version and security mode configuration. If version is below 3.4.1/3.3.1/2.6.11 AND security mode is enabled, system is vulnerable.Check Version:
fastdds --version or check application linking to Fast DDS librariesVerify Fix Applied:
Verify Fast DDS version is 3.4.1, 3.3.1, or 2.6.11 or higher, and confirm services restart successfully.📡 Detection & Monitoring
Log Indicators:
- Fast DDS process termination/crash logs
- Segmentation fault errors in system logs
- Abnormal SPDP packet size warnings
Network Indicators:
- Unusually large SPDP packets
- Multiple SPDP packets with modified DATA Submessage fields
- Traffic to Fast DDS ports (7400) with malformed structure
SIEM Query:
source="fastdds.log" AND ("segmentation fault" OR "buffer overflow" OR "process terminated")🔗 References
- https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f
- https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b
- https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a
- https://security-tracker.debian.org/tracker/CVE-2025-62601
