CVE-2025-55079 is a vulnerability identified in the Eclipse Foundation's ThreadX real-time operating system (RTOS) before version 6.4.3. ThreadX is widely used in embedded systems and IoT devices, where real-time thread scheduling is critical. The vulnerability stems from a flaw in the thread module's handling of maximum thread priority settings. Specifically, the system fails to properly enforce the maximum priority check in certain cases, allowing a thread to be assigned a priority higher than the configured maximum. This improper allocation of thread priority can disrupt the intended scheduling order, potentially starving other threads of CPU time and causing a denial of service (DoS) condition. The vulnerability is categorized under CWE-770, which pertains to allocation of resources without limits or throttling. Exploitation requires local access with partial authentication privileges (PR:L, AT:P), but does not require user interaction (UI:N). The attack vector is local (AV:L), meaning an attacker must have some level of access to the device or system running ThreadX. The vulnerability does not affect confidentiality, integrity, or availability directly but impacts availability through resource exhaustion or thread starvation. No known public exploits or active exploitation have been reported to date. The CVSS 4.0 base score is 5.7, indicating a medium severity level. The lack of patch links suggests that users should upgrade to ThreadX version 6.4.3 or later where the issue is resolved. Given ThreadX's prevalence in embedded and IoT environments, the vulnerability poses a risk to devices where real-time performance and thread prioritization are critical.

For European organizations, the primary impact of CVE-2025-55079 is the potential for denial of service in embedded and IoT devices running vulnerable versions of ThreadX. This can lead to operational disruptions in critical infrastructure sectors such as manufacturing, energy, transportation, and healthcare, where real-time systems are essential. Industrial control systems (ICS) and operational technology (OT) environments that rely on ThreadX for deterministic scheduling could experience degraded performance or outages, affecting production lines or safety systems. The requirement for local access and partial authentication limits the attack surface but insider threats or compromised devices could exploit this vulnerability. Additionally, the disruption of thread scheduling may indirectly impact system stability and reliability, increasing maintenance costs and downtime. Given the growing adoption of IoT and embedded devices across European industries, the vulnerability could have cascading effects on supply chains and service availability if exploited at scale.

1. Upgrade all affected ThreadX instances to version 6.4.3 or later where the vulnerability is fixed. 2. Implement strict access controls to limit local access to devices running ThreadX, reducing the risk of exploitation by unauthorized users. 3. Monitor embedded and IoT devices for abnormal thread behavior or resource exhaustion symptoms indicative of exploitation attempts. 4. Apply network segmentation and isolation for critical embedded systems to contain potential attacks. 5. Conduct regular audits of device firmware versions and patch status to ensure compliance. 6. Collaborate with device manufacturers and vendors to obtain security updates and guidance. 7. Employ runtime monitoring tools capable of detecting anomalous thread priority changes or scheduling disruptions. 8. Develop incident response plans tailored to embedded system outages to minimize operational impact. 9. Educate staff managing embedded and IoT infrastructure about the risks and signs of exploitation related to thread priority vulnerabilities.