CVE-2025-65494 identifies a NULL pointer dereference vulnerability in the get_san_or_cn_from_cert() function within the src/coap_openssl.c file of libcoap version 4.3.5. Libcoap is a widely used open-source implementation of the Constrained Application Protocol (CoAP), primarily deployed in IoT and constrained network environments. The vulnerability occurs when the function attempts to extract Subject Alternative Name (SAN) or Common Name (CN) fields from an X.509 certificate. Specifically, the function calls sk_GENERAL_NAME_value(), which can return NULL if the certificate is crafted maliciously. The code does not check for this NULL return value before dereferencing it, resulting in a NULL pointer dereference and subsequent application crash. This leads to a denial of service condition, as the affected libcoap-based service or device becomes unresponsive or terminates unexpectedly. The vulnerability is remotely exploitable over the network without any authentication or user interaction, increasing its risk profile. Although no public exploits have been reported yet, the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects a high severity due to the ease of exploitation and impact on availability. The flaw is categorized under CWE-476 (NULL Pointer Dereference), a common programming error that can cause crashes or unpredictable behavior. Since libcoap is embedded in many IoT devices and constrained environments, this vulnerability could disrupt critical services relying on CoAP for communication, such as smart meters, industrial sensors, and building automation systems.

For European organizations, the primary impact of CVE-2025-65494 is the potential denial of service on devices and services using libcoap 4.3.5. This can lead to outages in IoT deployments, industrial control systems, and smart infrastructure that depend on CoAP for lightweight communication. Disruptions could affect utilities, manufacturing, transportation, and smart city applications, causing operational downtime and potential safety risks. Since the vulnerability does not compromise confidentiality or integrity, data breaches are unlikely; however, availability loss can have cascading effects on dependent systems. The lack of authentication or user interaction requirements means attackers can remotely trigger the DoS, increasing the threat surface. European critical infrastructure operators and enterprises with extensive IoT deployments may face increased risk of service interruptions, impacting business continuity and regulatory compliance. Additionally, the vulnerability could be leveraged as part of larger attack campaigns targeting IoT ecosystems, amplifying its impact.

To mitigate CVE-2025-65494, organizations should prioritize updating libcoap to a patched version once it becomes available from the maintainers. In the interim, applying custom patches or workarounds to add NULL checks after sk_GENERAL_NAME_value() calls can prevent crashes. Network-level mitigations include filtering and validating incoming certificates to block malformed or suspicious X.509 certificates before they reach vulnerable devices. Implementing strict certificate validation policies and using certificate pinning where feasible can reduce exposure. Monitoring logs and network traffic for unusual certificate-related errors or crashes can help detect exploitation attempts early. For critical deployments, consider isolating vulnerable devices from untrusted networks and employing intrusion detection systems tuned for CoAP anomalies. Vendors and integrators should review their firmware and software supply chains to ensure updated libcoap versions are deployed promptly. Finally, raising awareness among IoT device operators about this vulnerability will facilitate faster response and remediation.