CVE-2025-55082 in NetX Duo
Summary
by MITRE • 10/15/2025
In NetX Duo version before 6.4.4, the component of Eclipse Foundation ThreadX, there was a potential out of bound read in _nx_secure_tls_process_clienthello() because of a missing validation of PSK length provided in the user message.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/22/2025
The vulnerability identified as CVE-2025-55082 affects NetX Duo versions prior to 6.4.4 and specifically targets the Eclipse Foundation ThreadX component within the network security stack. This issue manifests as a potential out-of-bounds read condition that occurs during the processing of TLS client hello messages, representing a significant security weakness in the cryptographic handshake mechanism. The flaw is particularly concerning as it directly impacts the TLS implementation that secures communications between network devices and services, potentially exposing systems to unauthorized data access or manipulation.
The technical root cause of this vulnerability lies in the insufficient validation of the Pre-Shared Key (PSK) length parameter within the _nx_secure_tls_process_clienthello() function. When processing client hello messages, the system fails to properly validate the length of the PSK data provided by the client, allowing for malformed or excessively long PSK values to be processed without proper bounds checking. This missing validation creates an opportunity for attackers to craft specially crafted TLS client hello messages that contain invalid PSK length values, which can then trigger memory access violations or information disclosure through out-of-bounds memory reads. The vulnerability falls under CWE-129 Input Validation and CWE-787 Out-of-bounds Read, both of which are classified as critical security weaknesses in software development practices.
The operational impact of this vulnerability extends beyond simple memory corruption, as it can potentially enable attackers to extract sensitive information from memory locations adjacent to the PSK buffer. This information disclosure could include cryptographic keys, session data, or other confidential information that may aid in further attacks against the affected systems. The vulnerability affects systems using NetX Duo with ThreadX components, which are commonly deployed in embedded systems, industrial control networks, and IoT devices where secure communication is paramount. Attackers exploiting this weakness could potentially gain insights into the internal state of TLS implementations, undermining the confidentiality and integrity guarantees that TLS protocols are designed to provide. This vulnerability aligns with ATT&CK technique T1592 Reconnaissance and T1071 Application Layer Protocol, as it enables adversaries to gather information about the target system's security implementation.
Mitigation strategies for this vulnerability should focus on immediate patching of affected NetX Duo installations to version 6.4.4 or later, which includes proper validation of PSK length parameters. Organizations should also implement network monitoring to detect anomalous TLS client hello messages that might indicate exploitation attempts. Additional defensive measures include configuring firewalls to restrict access to affected services, implementing network segmentation to limit the attack surface, and conducting thorough security assessments of all systems utilizing ThreadX components. Security teams should also consider implementing intrusion detection systems that can identify malformed TLS messages and establish incident response procedures to address potential exploitation attempts. The vulnerability highlights the importance of proper input validation in cryptographic implementations and reinforces the need for comprehensive security testing of embedded system components that handle sensitive network communications.