Cyber Resilience

CVE-2025-67109

Critical

Published: 23 December 2025

Published
23 December 2025
Modified
06 January 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0030 21.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-67109 is a critical-severity Improper Validation of Certificate Expiration (CWE-298) vulnerability in Eclipse Cyclone Data Distribution Service. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-67109 involves improper verification of the time certificate in Eclipse Cyclone DDS versions before v0.10.5. This vulnerability, classified under CWE-298, enables attackers to bypass certificate checks. Published on 2025-12-23, it carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), marking it as critically severe.

The attack scenario targets remote networks with low complexity, requiring no privileges, user interaction, or authentication. Attackers can exploit the flaw to circumvent certificate validation, achieving remote code execution with System privileges and causing high impacts to confidentiality, integrity, and availability across a changed scope.

References point to the Eclipse website at http://eclipse.com and a GitHub Gist at https://gist.github.com/lkloliver/669e15bc7e6194133e4ee1026ce157e6, along with specific code locations in the CycloneDDS repository: src/ddsrt/src/time/posix/time.c#L28 and src/security/builtin_plugins/authentication/src/auth_utils.c#L84. These indicate the need to upgrade to v0.10.5 or later to address the improper verification.

EU & UK References

Vulnerability details

Improper verification of the time certificate in Eclipse Cyclone DDS before v0.10.5 allows attackers to bypass certificate checks and execute commands with System privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables remote, unauthenticated attackers to bypass certificate validation in Eclipse Cyclone DDS, a network-exposed service, leading directly to remote code execution, mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-10838Same product: Eclipse Cyclone Data Distribution Service
CVE-2026-1188Same vendor: Eclipse
CVE-2026-2332Same vendor: Eclipse
CVE-2025-55100Same vendor: Eclipse
CVE-2025-0728Same vendor: Eclipse
CVE-2026-5795Same vendor: Eclipse
CVE-2026-1605Same vendor: Eclipse
CVE-2026-24457Same vendor: Eclipse
CVE-2026-2587Same vendor: Eclipse
CVE-2026-2586Same vendor: Eclipse

Affected Assets

eclipse
cyclone data distribution service
≤ 0.10.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of flaws such as the improper time certificate verification in Eclipse Cyclone DDS by applying patches or upgrades to v0.10.5 or later.

prevent

Mandates proper management and validation of PKI certificates, including time validity checks, directly countering the certificate bypass vulnerability.

detect

Provides vulnerability scanning and monitoring to identify the CVE-2025-67109 flaw in Cyclone DDS installations for subsequent remediation.

References