CVE-2025-55102
Published: 27 January 2026
Summary
CVE-2025-55102 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Eclipse Threadx Netx Duo. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Updated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption.
Terminating idle connections bounds resource consumption that would otherwise allow uncontrolled accumulation of open sessions.
Limiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account.
Contingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption.
Alternate site allows resumption of operations if resource exhaustion at the primary site is exploited to cause unavailability.
Alternate telecommunications services enable resumption of essential functions when primary services become unavailable due to uncontrolled resource consumption.
Planning and coordination of security activities (scans, tests, maintenance) directly imposes scheduling and throttling that prevents those activities from producing uncontrolled resource consumption.
Performance metrics and monitoring inherently track resource consumption patterns, making uncontrolled consumption easier to detect and mitigate.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Single-packet resource exhaustion DoS via crafted ICMPv6 input directly matches application/system exploitation for endpoint denial of service.
NVD Description
A denial-of-service vulnerability exists in the NetX IPv6 component functionality of Eclipse ThreadX NetX Duo. A specially crafted network packet of "Packet Too Big" with more than 15 different source address can lead to denial of service. An attacker can…
more
send a malicious packet to trigger this vulnerability.
Deeper analysisAI
CVE-2025-55102 is a denial-of-service vulnerability in the NetX IPv6 component of Eclipse ThreadX NetX Duo. The issue arises when a specially crafted IPv6 "Packet Too Big" ICMP message containing more than 15 different source addresses is processed, leading to a denial of service. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWEs 400 (Uncontrolled Resource Consumption), 404 (Improper Resource Shutdown or Release), 770 (Allocation of Resources Without Limits or Throttling), and NVD-CWE-noinfo.
An unauthenticated attacker with network access can exploit this vulnerability by sending a single malicious packet to a vulnerable device. Successful exploitation disrupts service availability on the target system without requiring privileges, user interaction, or special conditions, potentially causing resource exhaustion and halting network functionality.
The Eclipse ThreadX NetX Duo GitHub security advisory at https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-f3rx-xrwm-q2rf provides further details on the vulnerability, including recommended mitigations.
Details
- CWE(s)