CVE-2025-63548

High

Published: 01 May 2026

Published

01 May 2026

Modified

05 May 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0014 33.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63548 is a high-severity Improper Handling of Unexpected Data Type (CWE-241) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 33.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates the vulnerability by requiring validation of Boolean fields in incoming XRCE-DDS packets to reject non-valid values before processing.

SI-11 Error Handling good match

prevent

Ensures the agent handles errors from invalid Boolean values in crafted packets without crashing or disrupting service availability.

SC-5 Denial-of-service Protection good match

prevent

Protects against denial-of-service from remote malformed packet attacks by limiting effects and rejecting prohibitive communications.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Direct application-layer DoS via crafted packet exploiting invalid Boolean field handling, matching T1499.004 Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue in Eprosima Micro-XREC-DDS Agent v.3.0.1 allows a remote attacker to cause a denial of service via a packet specially crafted to bear a non-valid value in any Boolean field.

Deeper analysisAI

CVE-2025-63548 is a denial-of-service vulnerability affecting Eprosima Micro-XRCE-DDS Agent version 3.0.1. The issue arises when the agent processes a specially crafted packet containing a non-valid value in any Boolean field, leading to a crash or service disruption. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-241.

A remote attacker can exploit this vulnerability without authentication or user interaction by sending a malicious packet over the network. Successful exploitation results in high-impact availability disruption, such as denial of service against the affected agent, with low attack complexity required.

Mitigation details and further discussion are available in the referenced advisories, including the GitHub issue at https://github.com/eProsima/Micro-XRCE-DDS-Agent/issues/389 and a CVE listing at https://github.com/j4kb4dw0lf/CVEs/blob/main/README.md.

Details

CWE(s): CWE-241

CVEs Like This One

CVE-2025-2268Shared CWE-241

References

https://github.com/eProsima/Micro-XRCE-DDS-Agent/issues/389
cve@mitre.org
https://github.com/j4kb4dw0lf/CVEs/blob/main/README.md
cve@mitre.org