CVE-2025-55081

moderate-risk

Published 2025-10-15

In Eclipse Foundation NextX Duo before 6.4.4, a module of ThreadX, the _nx_secure_tls_process_clienthello() function was missing length verification of certain SSL/TLS client hello message: the ciphersuite length and compression method length. In case of an attacker-crafted message with values outside of the expected range, it could cause an out-of-bound read.

Do I need to act?

0.06% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.1/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Threadx Netx Duo

Affected Vendors

Eclipse

References (1)

Vendor Advisory https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-5vrv-8j5h-h6...

/ 100

moderate-risk

Severity 31/34 · Critical

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal