CVE-2025-55092 is an out-of-bounds read vulnerability identified in the Eclipse Foundation's NetX Duo, a networking stack used in conjunction with the ThreadX real-time operating system. The vulnerability exists in the _nx_ipv4_option_process() function, which processes IPv4 packets containing the timestamp option. Specifically, when parsing the timestamp option, the function may read memory beyond the allocated buffer boundaries, leading to potential leakage of sensitive information from adjacent memory regions. This flaw arises due to insufficient bounds checking on the IPv4 timestamp option data. The vulnerability affects all versions of NetX Duo prior to 6.4.4, with no authentication or user interaction required for exploitation. The CVSS 4.0 score of 6.9 indicates a medium severity, driven by the network attack vector, low complexity of exploitation, and no privileges needed. While no public exploits or active exploitation have been reported, the vulnerability could be leveraged by remote attackers to gain unauthorized access to memory contents, potentially exposing sensitive data or aiding further attacks. NetX Duo is commonly embedded in IoT devices, industrial control systems, automotive electronics, and telecommunications equipment, making this vulnerability relevant to a broad range of embedded applications. The lack of a patch at the time of disclosure necessitates proactive mitigation strategies. The vulnerability is tracked under CWE-125 (Out-of-bounds Read) and CWE-126 (Buffer Over-read), highlighting the nature of the memory safety issue.

The primary impact of CVE-2025-55092 is the potential unauthorized disclosure of sensitive information due to out-of-bounds memory reads. For European organizations, especially those operating critical infrastructure, industrial automation, automotive systems, or telecommunications networks that incorporate embedded devices running NetX Duo, this vulnerability could expose confidential operational data or cryptographic material. Although the vulnerability does not allow code execution or direct system compromise, information leakage can facilitate further targeted attacks or reconnaissance. The fact that exploitation requires no authentication and can be triggered remotely over the network increases the risk profile. Disruption to availability or integrity is not directly indicated, but indirect impacts could arise if attackers use leaked information to escalate privileges or disrupt operations. Given the widespread use of embedded systems in European manufacturing and critical sectors, the vulnerability could have significant operational and reputational consequences if exploited. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure.

To mitigate CVE-2025-55092, European organizations should prioritize updating NetX Duo to version 6.4.4 or later once the patch is released by the Eclipse Foundation. Until a patch is available, network administrators should implement filtering rules to block or scrutinize IPv4 packets containing the timestamp option, as this is the vector triggering the vulnerability. Deploying intrusion detection or prevention systems (IDS/IPS) capable of detecting anomalous IPv4 option usage can help identify exploitation attempts. Embedded device manufacturers and integrators should review their firmware to assess the inclusion of vulnerable NetX Duo versions and plan for timely firmware updates. Security teams should conduct network traffic analysis to detect unusual patterns that may indicate scanning or exploitation attempts targeting IPv4 options. Additionally, applying network segmentation to isolate vulnerable embedded devices can limit exposure. Organizations should maintain close communication with vendors for updates and advisories and incorporate this vulnerability into their risk management and incident response plans. Finally, conducting security audits of embedded systems and ensuring secure coding practices for network packet processing can reduce future risks.