CVE-2025-65499 is a vulnerability identified in libcoap version 4.3.5, an open-source implementation of the Constrained Application Protocol (CoAP) commonly used in IoT and constrained network environments. The flaw resides in the tls_verify_call_back() function within the source file src/coap_openssl.c, where an array index error occurs due to improper handling of the return value from SSL_get_ex_data_X509_STORE_CTX_idx(). Specifically, when a crafted DTLS handshake is received, this function can return -1, which is not properly checked before being used as an array index, leading to out-of-bounds access. This results in a denial of service condition by crashing or destabilizing the libcoap service handling the handshake. The vulnerability is exploitable remotely without authentication and requires the attacker to initiate a DTLS handshake, which constitutes user interaction. The CVSS v3.1 base score is 4.3 (medium), reflecting the limited impact on confidentiality and integrity but a clear impact on availability. No patches or fixes have been published at the time of disclosure, and no known exploits exist in the wild. The underlying weakness corresponds to CWE-129 (Improper Validation of Array Index). Given libcoap’s role in constrained environments and IoT devices, this vulnerability could disrupt services relying on DTLS-secured CoAP communications.

For European organizations, the primary impact of CVE-2025-65499 is a denial of service condition affecting devices and services using libcoap 4.3.5 with DTLS enabled. This can lead to temporary unavailability of IoT devices, sensors, or constrained network services, potentially disrupting critical infrastructure monitoring, industrial control systems, or smart city applications. While the vulnerability does not compromise data confidentiality or integrity, the loss of availability could affect operational continuity, especially in sectors relying on real-time data and control such as energy, manufacturing, and transportation. The medium severity rating reflects that exploitation is relatively straightforward but limited to causing service disruption rather than data breach or system takeover. European organizations with extensive IoT deployments or those integrating CoAP-based communication protocols should consider the risk of service interruptions and plan accordingly. The absence of known exploits reduces immediate urgency but does not eliminate the threat, especially as attackers may develop exploits post-disclosure.

1. Network-level filtering: Restrict incoming DTLS handshake traffic to trusted sources and known endpoints to reduce exposure to crafted handshake attempts. 2. Monitoring and anomaly detection: Implement monitoring for unusual DTLS handshake patterns or repeated handshake failures that could indicate exploitation attempts. 3. Update planning: Track libcoap project communications and prepare to apply patches or upgrade to a fixed version once released. 4. Defensive coding: For organizations maintaining custom forks or integrations of libcoap, audit and patch the tls_verify_call_back() function to validate the return value of SSL_get_ex_data_X509_STORE_CTX_idx() before use. 5. Segmentation: Isolate IoT and constrained devices using libcoap in network segments with limited access to reduce attack surface. 6. Incident response readiness: Develop response plans for potential denial of service incidents affecting IoT or constrained devices. These steps go beyond generic advice by focusing on network controls, proactive monitoring, and readiness for patch deployment specific to the nature of this vulnerability.