CVE-2025-0726
Published: 21 February 2025
Summary
CVE-2025-0726 is a high-severity Incomplete Cleanup (CWE-459) vulnerability in Eclipse Threadx Netx Duo. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 42.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation, directly mitigating this CVE by applying the patch to Eclipse ThreadX NetX Duo version 6.4.2 or later.
SI-11 enforces secure error handling that prevents resource leaks like the unclosed file handle during HTTP PUT error conditions.
SC-5 implements denial-of-service protections to counter the availability impact from specially crafted packets causing file handle exhaustion.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a resource leak (file handle) in a network-facing HTTP server that is directly exploitable to crash/impair the service, mapping to application exploitation for endpoint DoS.
NVD Description
In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.2, an attacker can cause a denial of service by specially crafted packets. The core issue is missing closing of a file in case of an error condition,…
more
resulting in the 404 error for each further file request. Users can work-around the issue by disabling the PUT request support.
Deeper analysisAI
CVE-2025-0726 affects the NetX HTTP server functionality in Eclipse ThreadX NetX Duo versions prior to 6.4.2. The vulnerability stems from a failure to close a file handle under certain error conditions, classified under CWE-459 (Incomplete Cleanup). This issue enables a denial-of-service condition, as evidenced by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no requirements for privileges or user interaction.
An unauthenticated attacker with network access can exploit this vulnerability by sending specially crafted packets, likely targeting PUT requests, to trigger the error condition. Once exploited, the server will return a 404 error for all subsequent file requests, effectively rendering the HTTP service unavailable and causing a denial of service.
Mitigation is available through upgrading to Eclipse ThreadX NetX Duo version 6.4.2 or later, as detailed in the project's GitHub security advisory (GHSA-pwf8-5q9w-m763) and the associated fix commit (c78d650be7377aae1a8704bc0ce5cc6f9f189014). As a workaround, users can disable PUT request support in the NetX HTTP server configuration.
Details
- CWE(s)