The vulnerability identified as CVE-2025-62602 affects eProsima Fast-DDS, a C++ implementation of the OMG DDS standard used for real-time data distribution in distributed systems. The flaw exists in versions prior to 3.4.1, 3.3.1, and 2.6.11 when security mode is enabled. Specifically, an attacker can craft an SPDP packet with a manipulated DATA Submessage, targeting the PID_IDENTITY_TOKEN or PID_PERMISSIONS_TOKEN fields. The vulnerability arises because the function readOctetVector reads a vector size (vecsize) without proper bounds checking. This unchecked vecsize is then passed as the length parameter to readData, where a 32-bit integer overflow can occur during length calculation. The overflow leads to an attempt to allocate an excessively large buffer on the heap, which quickly exhausts system memory and causes the Fast-DDS process to terminate unexpectedly. This results in a remotely-triggerable denial-of-service (DoS) condition. The flaw does not require any authentication or user interaction, and the attack vector is network-based (AV:N). Although the CVSS score is low (1.7), reflecting limited impact on confidentiality, integrity, and availability, the vulnerability can disrupt availability of critical DDS-based communication. No public exploits have been reported, and patches are available in the specified versions to remediate the issue.

For European organizations, the primary impact is a potential denial-of-service condition in systems relying on Fast-DDS for real-time data exchange, such as industrial automation, autonomous vehicles, healthcare devices, and defense applications. Disruption of DDS communications can lead to loss of operational continuity, safety risks, and degraded service availability. While the vulnerability does not allow code execution or data compromise, the forced termination of Fast-DDS processes could interrupt critical workflows and safety mechanisms. Organizations in sectors with stringent real-time requirements or safety-critical operations are particularly at risk. Given the low CVSS score and lack of known exploits, the immediate risk is moderate, but the potential for targeted DoS attacks in sensitive environments warrants attention.

European organizations should prioritize upgrading eProsima Fast-DDS to versions 3.4.1, 3.3.1, or 2.6.11 or later, where the vulnerability is patched. Network-level filtering can be implemented to restrict or monitor SPDP packets, especially those containing PID_IDENTITY_TOKEN or PID_PERMISSIONS_TOKEN fields, to detect anomalous or malformed messages. Deploying intrusion detection systems (IDS) with custom signatures for malformed DDS packets may help identify exploitation attempts. Additionally, organizations should enforce strict network segmentation to isolate DDS traffic and reduce exposure to untrusted networks. Regularly auditing and monitoring Fast-DDS logs for unexpected process terminations can provide early warning of exploitation attempts. Finally, integrating Fast-DDS updates into the organization's patch management lifecycle will ensure timely remediation of future vulnerabilities.