CVE-2025-55094 is an out-of-bounds read vulnerability classified under CWE-125 found in the NetX Duo networking stack, a component of the Eclipse Foundation's ThreadX real-time operating system (RTOS). The flaw exists in the _nx_icmpv6_validate_options() function, which processes ICMPv6 packets. Specifically, when handling ICMPv6 packets containing malformed or maliciously crafted options, the function may read memory beyond the intended buffer boundaries. This can lead to unintended disclosure of memory contents or cause application crashes due to invalid memory access. The vulnerability affects all versions of NetX Duo prior to 6.4.4. The CVSS 4.0 base score is 6.9, indicating a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact is limited to confidentiality (VC:L) without affecting integrity or availability. No known exploits have been reported in the wild as of the publication date. The vulnerability is significant because NetX Duo is widely used in embedded systems and IoT devices, which often rely on ThreadX for networking capabilities. Exploitation could allow remote attackers to glean sensitive memory information or cause denial of service conditions, potentially disrupting device functionality or exposing sensitive data. The lack of authentication and user interaction requirements increases the risk of remote exploitation. However, the absence of integrity or availability impacts limits the scope of damage. The vulnerability was reserved on August 6, 2025, and published on October 17, 2025. No official patches or advisories are linked yet, but upgrading to version 6.4.4 or later is recommended once available.

For European organizations, the primary impact of CVE-2025-55094 lies in the potential exposure of sensitive memory contents and possible device instability or crashes in embedded systems using NetX Duo. This could affect sectors relying heavily on IoT and embedded devices, such as manufacturing, automotive, healthcare, and critical infrastructure. Confidentiality breaches could lead to leakage of proprietary or personal data, while denial of service could disrupt operational technology environments. Given the vulnerability can be exploited remotely without authentication, attackers could leverage it to gain reconnaissance information or cause intermittent failures in networked devices. The impact is particularly relevant for organizations deploying ThreadX-based devices in critical roles, where stability and data protection are paramount. Although the vulnerability does not directly affect integrity or availability, the indirect consequences of memory disclosure or crashes could undermine trust in device security and reliability. The medium severity rating suggests a moderate risk, but the widespread use of NetX Duo in embedded systems means the potential attack surface is significant. European organizations should assess their exposure based on device inventories and network architectures.

1. Upgrade affected devices and systems to NetX Duo version 6.4.4 or later as soon as patches become available from the Eclipse Foundation or device vendors. 2. Implement network-level filtering to block or drop malformed ICMPv6 packets, especially those with suspicious options, using firewalls or intrusion prevention systems. 3. Conduct thorough asset inventories to identify all devices running ThreadX with NetX Duo and prioritize patching or mitigation accordingly. 4. Employ network segmentation to isolate vulnerable embedded systems from critical networks and limit exposure to potential attackers. 5. Monitor network traffic for anomalous ICMPv6 packets that could indicate exploitation attempts. 6. Collaborate with device manufacturers to obtain firmware updates and security advisories related to this vulnerability. 7. Integrate vulnerability scanning and penetration testing focused on embedded devices to detect exploitation attempts or vulnerable configurations. 8. Educate operational technology and security teams about the risks associated with ICMPv6 handling vulnerabilities in embedded systems.