CVE-2025-67109
CVE-2025-67109 is a critical-severity vulnerability in Eclipse Cyclone Data Distribution Service with a CVSS 3.x base score of 10.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-298.
Key facts
- Severity: Critical (CVSS 3.x base score 10.0)
- EPSS exploit prediction: 0% (21st percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-204853
- Weakness: CWE-298
- Affected product: Eclipse Cyclone Data Distribution Service
- Published:
- Last modified:
Description
Improper verification of the time certificate in Eclipse Cyclone DDS before v0.10.5 allows attackers to bypass certificate checks and execute commands with System privileges.
Frequently asked questions
- What is CVE-2025-67109?
- Improper verification of the time certificate in Eclipse Cyclone DDS before v0.10.5 allows attackers to bypass certificate checks and execute commands with System privileges.
- How severe is CVE-2025-67109?
- CVE-2025-67109 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2025-67109 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (21st percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-67109?
- CVE-2025-67109 affects Eclipse Cyclone Data Distribution Service. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-67109?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- Does CVE-2025-67109 have an EU (EUVD) identifier?
- Yes. CVE-2025-67109 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-204853.
- When was CVE-2025-67109 published?
- CVE-2025-67109 was published on 2025-12-23 and last updated on 2026-07-05.
References
- https://gist.github.com/lkloliver/669e15bc7e6194133e4ee1026ce157e6
- https://github.com/eclipse-cyclonedds/cyclonedds/blob/master/src/ddsrt/src/time/posix/time.c#L28
- https://github.com/eclipse-cyclonedds/cyclonedds/blob/master/src/security/builtin_plugins/authentication/src/auth_utils.c#L84
EU advisories (EUVD)
Affected products (1)
- cpe:2.3:a:eclipse:cyclone_data_distribution_service:*:*:*:*:*:*:*:*
More vulnerabilities in Eclipse Cyclone Data Distribution Service
- CVE-2024-10838 — Critical (CVSS 9.1): An integer underflow during deserialization may allow any unauthenticated user to read out of bounds heap memory. This…
- CVE-2020-18735 — High (CVSS 7.5): A heap buffer overflow in /src/dds_stream.c of Eclipse IOT Cyclone DDS Project v0.1.0 causes the DDS subscriber server…
- CVE-2020-18734 — High (CVSS 7.5): A stack buffer overflow in /ddsi/q_bitset.h of Eclipse IOT Cyclone DDS Project v0.1.0 causes the DDS subscriber server…
All CVEs affecting Eclipse Cyclone Data Distribution Service →
Other CWE-298 vulnerabilities
- CVE-2025-67108 — Critical (CVSS 10.0): eProsima Fast-DDS v3.3 was discovered to contain improper validation for ticket revocation, resulting in insecure…
- CVE-2025-61736 — High (CVSS 7.1): Successful exploitation of this vulnerability could result in the product failing to re-establish communication once…
- CVE-2025-4384 — Medium (CVSS 6.0): The MQTT add-on of PcVue fails to verify that a remote device’s certificate has not already expired or has not yet…
- CVE-2025-59036 — Medium (CVSS 5.5): Infrahub offers a central hub to manage data, templates, and playbooks. Prior to versiond 1.3.9 and 1.4.5, a bug in the…
- CVE-2024-1248 — Medium (CVSS 4.8): The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly…