CVE-2025-55086 is a vulnerability identified in the DHCPv6 client module of NetXDuo, a networking stack for the Eclipse Foundation's ThreadX real-time operating system. The issue stems from an unchecked index used when extracting the server's DUID (DHCP Unique Identifier) from a DHCPv6 server reply packet. Specifically, the DHCPv6 client fails to properly validate the length or bounds of the DUID field, which allows an attacker to craft a malicious DHCPv6 server reply containing an out-of-bounds index. This results in an out-of-bounds memory read, classified under CWE-125 (Out-of-bounds Read) and CWE-1285 (Improper Validation of Array Index). The vulnerability can be exploited remotely over the network without requiring authentication or user interaction, as it only requires sending a specially crafted DHCPv6 packet to the target device. The impact primarily concerns confidentiality and system stability, as the out-of-bounds read could leak sensitive memory contents or cause a denial of service due to memory corruption or crashes. The CVSS 4.0 base score is 6.3 (medium severity), reflecting the network attack vector, low complexity, no privileges required, and no user interaction needed. No patches or exploits are currently publicly available, but the vendor has acknowledged the issue and plans to release a fix in version 6.4.4. This vulnerability is particularly relevant for embedded and IoT devices using NetXDuo for network connectivity, especially those operating in IPv6 environments with DHCPv6 enabled.

For European organizations, the vulnerability poses a risk primarily to embedded systems, IoT devices, and industrial control systems that utilize the Eclipse Foundation's NetXDuo stack with DHCPv6 enabled. Successful exploitation could lead to unauthorized disclosure of sensitive memory contents, potentially exposing cryptographic keys, credentials, or configuration data. Additionally, the out-of-bounds read may cause system instability or crashes, resulting in denial of service conditions. This can disrupt critical infrastructure, manufacturing processes, or networked devices in sectors such as automotive, healthcare, energy, and telecommunications. Given the increasing adoption of IPv6 and DHCPv6 in Europe, the attack surface is expanding. Organizations relying on devices with outdated NetXDuo versions may face operational disruptions or data leakage. Although no known exploits exist in the wild, the medium severity and ease of remote exploitation warrant proactive mitigation to prevent future attacks. The impact is amplified in environments where devices are exposed to untrusted networks or where patching embedded devices is challenging.

1. Upgrade affected devices and systems to NetXDuo version 6.4.4 or later once the patch is released by the Eclipse Foundation. 2. Implement network-level filtering to block or monitor suspicious DHCPv6 traffic, especially from untrusted sources, using firewalls or intrusion detection/prevention systems configured to inspect DHCPv6 packets. 3. Conduct an inventory of all devices running NetXDuo and assess their exposure to IPv6 networks with DHCPv6 enabled. 4. Where possible, disable DHCPv6 client functionality on devices that do not require it or restrict DHCPv6 server replies to trusted network segments. 5. Employ network segmentation to isolate vulnerable embedded devices from critical infrastructure and sensitive data networks. 6. Monitor device logs and network traffic for anomalies indicative of malformed DHCPv6 packets or memory errors. 7. Collaborate with device vendors and suppliers to ensure timely firmware updates and vulnerability disclosures. 8. Develop incident response plans specific to embedded device compromise or denial of service scenarios related to DHCPv6 vulnerabilities.