CVE-2025-0728
Published: 21 February 2025
Summary
CVE-2025-0728 is a high-severity Wrap or Wraparound (CWE-191) vulnerability in Eclipse Threadx Netx Duo. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the integer underflow vulnerability in HTTP PUT processing by applying the vendor patch to Eclipse ThreadX NetX Duo version 6.4.2.
Enforces least functionality by disabling unnecessary HTTP PUT support, implementing the vendor-recommended workaround to block exploitation.
Validates HTTP Content-Length headers against actual incoming data sizes to prevent integer underflow from specially crafted oversized packets.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing HTTP server leading to application crash/DoS via integer underflow.
NVD Description
In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.2, an attacker can cause an integer underflow and a subsequent denial of service by writing a very large file, by specially crafted packets with Content-Length smaller than…
more
the data request size. A possible workaround is to disable HTTP PUT support.
Deeper analysisAI
CVE-2025-0728 is an integer underflow vulnerability (CWE-191) in the HTTP server functionality of Eclipse ThreadX NetX Duo versions before 6.4.2. The flaw occurs when processing specially crafted packets for writing a very large file, where the Content-Length header specifies a value smaller than the actual data size sent, triggering the underflow.
An unauthenticated attacker with network access can exploit this vulnerability remotely with low complexity and no user interaction required, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Successful exploitation causes a denial of service, potentially crashing the affected HTTP server or rendering it unavailable.
The Eclipse ThreadX NetX Duo security advisory (GHSA-hqp7-4q26-6wqf) and associated GitHub commit (c78d650be7377aae1a8704bc0ce5cc6f9f189014) detail the patch in version 6.4.2. A recommended workaround is to disable HTTP PUT support to prevent exploitation.
Details
- CWE(s)