CVE-2025-55090 identifies a vulnerability in the NetX Duo TCP/IP stack maintained by the Eclipse Foundation, used widely in embedded systems and IoT devices. The vulnerability is an out-of-bounds read (CWE-125) occurring in the _nx_ipv4_packet_receive() function when it processes Ethernet frames containing less than 4 bytes of IP packet data. This improper bounds checking can cause the system to read memory beyond the intended buffer, potentially exposing sensitive information or causing application crashes. The flaw exists in versions prior to 6.4.4 of NetX Duo. Exploitation requires no authentication or user interaction and can be triggered remotely by sending a specially crafted Ethernet frame to a vulnerable device. While no exploits have been reported in the wild, the vulnerability poses a risk to devices relying on NetX Duo for network communication, especially in environments where malformed packets might be encountered or injected. The CVSS v4.0 score of 6.9 (medium severity) reflects the network attack vector, low attack complexity, and no privileges or user interaction required, with limited confidentiality impact and no integrity or availability impact. The vulnerability does not affect the underlying ThreadX RTOS but specifically the NetX Duo networking module. No patches or fixes are currently linked but upgrading to version 6.4.4 or later is expected to resolve the issue once released.

For European organizations, the primary impact of CVE-2025-55090 lies in the potential exposure of sensitive memory contents due to out-of-bounds reads, which could lead to information disclosure. Additionally, malformed packets might cause instability or crashes in embedded devices, potentially disrupting critical operations. Industries relying heavily on embedded systems and IoT devices—such as manufacturing automation, telecommunications infrastructure, smart grids, and transportation—may face operational risks if vulnerable devices are exploited. Given the remote, unauthenticated nature of the vulnerability, attackers could scan and target exposed devices over the network, increasing the threat surface. Although no known exploits exist yet, the medium severity rating and ease of exploitation warrant proactive mitigation to prevent future attacks. The impact on confidentiality is limited but non-negligible, while integrity and availability impacts are minimal or absent. Disruptions in critical infrastructure or industrial control systems could have cascading effects on supply chains and services within Europe.

1. Upgrade all affected NetX Duo instances to version 6.4.4 or later as soon as the patch becomes available from the Eclipse Foundation. 2. Implement network-level filtering to block malformed or suspicious Ethernet frames, especially those with abnormally short IP packet lengths, using intrusion prevention systems or firewalls. 3. Conduct network traffic monitoring to detect anomalous packets that could trigger the vulnerability. 4. For embedded devices that cannot be immediately updated, apply compensating controls such as isolating them on segmented networks with restricted access. 5. Collaborate with device vendors to confirm the use of NetX Duo and request firmware updates incorporating the fix. 6. Incorporate vulnerability scanning and penetration testing focused on network stack robustness in embedded and IoT devices. 7. Maintain up-to-date asset inventories to identify devices running vulnerable NetX Duo versions. 8. Educate operational technology and IoT security teams about this vulnerability to enhance detection and response capabilities.