CVE-2025-62723 is a resource management vulnerability classified under CWE-772 (Missing Release of Resource after Effective Lifetime) affecting halfgaar's FlashMQ MQTT broker/server designed for multi-CPU environments. In versions prior to 1.23.2, any authenticated user can create MQTT sessions that collect Quality of Service (QoS) messages intended for delivery. If these messages are not sent to the client before the session expires, the resources allocated for storing these messages are not released properly. Over time, this leads to resource leakage, which can exhaust system memory or storage resources, degrading the broker's performance or causing denial of service (DoS). The vulnerability can be triggered remotely by an authenticated user without requiring additional user interaction, making it relatively easy to exploit in environments where user credentials are compromised or weak. The CVSS v3.1 score is 4.3 (medium severity), reflecting the impact on availability without affecting confidentiality or integrity. The issue was publicly disclosed on October 24, 2025, and resolved in FlashMQ version 1.23.2. No public exploits have been reported to date, but the vulnerability poses a risk to MQTT deployments relying on FlashMQ, especially in IoT or industrial control systems where MQTT is commonly used.

For European organizations, this vulnerability primarily threatens the availability of MQTT broker services running FlashMQ versions prior to 1.23.2. Organizations using FlashMQ in critical infrastructure, industrial automation, or IoT deployments could experience service degradation or outages due to resource exhaustion caused by unreleased QoS messages. This may disrupt operational technology (OT) environments or cloud services relying on MQTT messaging. Although the vulnerability does not compromise data confidentiality or integrity, denial of service conditions can impact business continuity, safety systems, and real-time monitoring applications. The requirement for authentication limits exposure to internal or compromised users, but insider threats or credential theft could enable exploitation. Given the increasing adoption of MQTT in European smart manufacturing, energy, and transportation sectors, the risk of operational disruption is significant if patches are not applied promptly.

European organizations should immediately upgrade FlashMQ to version 1.23.2 or later, where the resource release issue is fixed. Until patching is possible, implement strict access controls and monitoring on MQTT broker authentication to prevent unauthorized session creation. Employ network segmentation to isolate MQTT brokers from untrusted networks and limit access to trusted clients only. Monitor broker resource usage and session counts to detect abnormal accumulation of QoS messages indicative of exploitation attempts. Implement rate limiting or session quotas per user to reduce the risk of resource exhaustion. Regularly audit user credentials and enforce strong authentication mechanisms to minimize the risk of credential compromise. Additionally, consider deploying MQTT brokers with built-in resource management safeguards or alternative brokers with robust session handling if FlashMQ cannot be updated promptly.