CVE-2025-55091 identifies a vulnerability in the Eclipse Foundation's NetX Duo, a widely used TCP/IP networking stack designed for embedded systems and real-time operating systems like ThreadX. The vulnerability is an out-of-bounds read (CWE-125) occurring in the _nx_ip_packet_receive() function. Specifically, when the function processes an Ethernet frame with its type field set to IP but containing no actual IP data, it attempts to read beyond the allocated buffer boundaries. This can lead to the disclosure of sensitive memory contents or cause application crashes due to invalid memory access. The vulnerability affects all versions of NetX Duo before 6.4.4. Exploitation requires sending specially crafted Ethernet frames to the target device, which can be done remotely over the network without any authentication or user interaction. The CVSS 4.0 vector (AV:N/AC:L/AT:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) indicates network attack vector, low attack complexity, no privileges or user interaction required, and limited confidentiality impact, with no impact on integrity or availability. No patches or exploits are currently publicly available, but the issue is officially published and reserved since August 2025. This vulnerability is relevant to embedded devices and IoT systems using NetX Duo, which are common in industrial, automotive, and consumer electronics sectors.

For European organizations, the primary impact of CVE-2025-55091 lies in the potential exposure of sensitive memory contents from embedded devices running NetX Duo, which could lead to information leakage or destabilization of critical systems. Sectors such as manufacturing, automotive, healthcare, and telecommunications that rely heavily on embedded real-time operating systems and IoT devices are at higher risk. Disclosed memory could contain cryptographic keys, configuration data, or other sensitive information, facilitating further attacks. While the vulnerability does not directly allow code execution or denial of service, the confidentiality breach could undermine trust and compliance with data protection regulations like GDPR. The ease of remote exploitation without authentication increases the threat surface, especially for devices exposed to untrusted networks. Disruption or compromise of embedded systems in critical infrastructure could have cascading effects on operational continuity and safety.

To mitigate CVE-2025-55091, European organizations should prioritize upgrading NetX Duo to version 6.4.4 or later once the patch is released by the Eclipse Foundation. Until then, network administrators should implement strict ingress filtering to block malformed Ethernet frames that claim to be IP but contain no IP payload, reducing the attack surface. Deploying network segmentation and isolating embedded devices from untrusted networks can limit exposure. Monitoring network traffic for anomalous Ethernet frames and employing intrusion detection systems tailored for embedded protocols can provide early warning. Device manufacturers and integrators should review their firmware and software supply chains to ensure timely updates. Additionally, conducting security audits and penetration testing on embedded systems can help identify and remediate similar vulnerabilities proactively.