CVE-2025-67109
Published: 23 December 2025
Summary
CVE-2025-67109 is a critical-severity Improper Validation of Certificate Expiration (CWE-298) vulnerability in Eclipse Cyclone Data Distribution Service. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of flaws such as the improper time certificate verification in Eclipse Cyclone DDS by applying patches or upgrades to v0.10.5 or later.
Mandates proper management and validation of PKI certificates, including time validity checks, directly countering the certificate bypass vulnerability.
Provides vulnerability scanning and monitoring to identify the CVE-2025-67109 flaw in Cyclone DDS installations for subsequent remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote, unauthenticated attackers to bypass certificate validation in Eclipse Cyclone DDS, a network-exposed service, leading directly to remote code execution, mapping to T1190: Exploit Public-Facing Application.
NVD Description
Improper verification of the time certificate in Eclipse Cyclone DDS before v0.10.5 allows attackers to bypass certificate checks and execute commands with System privileges.
Deeper analysisAI
CVE-2025-67109 involves improper verification of the time certificate in Eclipse Cyclone DDS versions before v0.10.5. This vulnerability, classified under CWE-298, enables attackers to bypass certificate checks. Published on 2025-12-23, it carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), marking it as critically severe.
The attack scenario targets remote networks with low complexity, requiring no privileges, user interaction, or authentication. Attackers can exploit the flaw to circumvent certificate validation, achieving remote code execution with System privileges and causing high impacts to confidentiality, integrity, and availability across a changed scope.
References point to the Eclipse website at http://eclipse.com and a GitHub Gist at https://gist.github.com/lkloliver/669e15bc7e6194133e4ee1026ce157e6, along with specific code locations in the CycloneDDS repository: src/ddsrt/src/time/posix/time.c#L28 and src/security/builtin_plugins/authentication/src/auth_utils.c#L84. These indicate the need to upgrade to v0.10.5 or later to address the improper verification.
Details
- CWE(s)