Cyber Resilience

CVE-2025-0728

Medium

Published: 21 February 2025

Published
21 February 2025
Modified
31 July 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0035 57.9th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0728 is a medium-severity Wrap or Wraparound (CWE-191) vulnerability in Eclipse Threadx Netx Duo. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-0728 is an integer underflow vulnerability (CWE-191) in the HTTP server functionality of Eclipse ThreadX NetX Duo versions before 6.4.2. The flaw occurs when processing specially crafted packets for writing a very large file, where the Content-Length header specifies a value smaller than the actual data size sent, triggering the underflow.

An unauthenticated attacker with network access can exploit this vulnerability remotely with low complexity and no user interaction required, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Successful exploitation causes a denial of service, potentially crashing the affected HTTP server or rendering it unavailable.

The Eclipse ThreadX NetX Duo security advisory (GHSA-hqp7-4q26-6wqf) and associated GitHub commit (c78d650be7377aae1a8704bc0ce5cc6f9f189014) detail the patch in version 6.4.2. A recommended workaround is to disable HTTP PUT support to prevent exploitation.

EU & UK References

Vulnerability details

In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.2, an attacker can cause an integer underflow and a subsequent denial of service by writing a very large file, by specially crafted packets with Content-Length smaller than…

more

the data request size. A possible workaround is to disable HTTP PUT support.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated exploitation of public-facing HTTP server leading to application crash/DoS via integer underflow.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-0727Same product: Eclipse Threadx Netx Duo
CVE-2025-0726Same product: Eclipse Threadx Netx Duo
CVE-2025-55102Same product: Eclipse Threadx Netx Duo
CVE-2024-10838Same vendor: Eclipse
CVE-2026-1605Same vendor: Eclipse
CVE-2025-55100Same vendor: Eclipse
CVE-2026-1188Same vendor: Eclipse
CVE-2026-44060Shared CWE-191
CVE-2026-6918Same vendor: Eclipse
CVE-2025-67109Same vendor: Eclipse

Affected Assets

eclipse
threadx netx duo
≤ 6.4.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the integer underflow vulnerability in HTTP PUT processing by applying the vendor patch to Eclipse ThreadX NetX Duo version 6.4.2.

prevent

Enforces least functionality by disabling unnecessary HTTP PUT support, implementing the vendor-recommended workaround to block exploitation.

prevent

Validates HTTP Content-Length headers against actual incoming data sizes to prevent integer underflow from specially crafted oversized packets.

References