CVE-2025-0728
Published: 21 February 2025
Summary
CVE-2025-0728 is a medium-severity Wrap or Wraparound (CWE-191) vulnerability in Eclipse Threadx Netx Duo. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-0728 is an integer underflow vulnerability (CWE-191) in the HTTP server functionality of Eclipse ThreadX NetX Duo versions before 6.4.2. The flaw occurs when processing specially crafted packets for writing a very large file, where the Content-Length header specifies a value smaller than the actual data size sent, triggering the underflow.
An unauthenticated attacker with network access can exploit this vulnerability remotely with low complexity and no user interaction required, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Successful exploitation causes a denial of service, potentially crashing the affected HTTP server or rendering it unavailable.
The Eclipse ThreadX NetX Duo security advisory (GHSA-hqp7-4q26-6wqf) and associated GitHub commit (c78d650be7377aae1a8704bc0ce5cc6f9f189014) detail the patch in version 6.4.2. A recommended workaround is to disable HTTP PUT support to prevent exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5085
Vulnerability details
In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.2, an attacker can cause an integer underflow and a subsequent denial of service by writing a very large file, by specially crafted packets with Content-Length smaller than…
more
the data request size. A possible workaround is to disable HTTP PUT support.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing HTTP server leading to application crash/DoS via integer underflow.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the integer underflow vulnerability in HTTP PUT processing by applying the vendor patch to Eclipse ThreadX NetX Duo version 6.4.2.
Enforces least functionality by disabling unnecessary HTTP PUT support, implementing the vendor-recommended workaround to block exploitation.
Validates HTTP Content-Length headers against actual incoming data sizes to prevent integer underflow from specially crafted oversized packets.