CRITICAL🇵🇱 Wersja polska

CVE-2025-67109

CVSS 10.0v3.1pub. 2025-12-23upd. 2026-07-05

Improper verification of the time certificate in Eclipse Cyclone DDS before v0.10.5 allows attackers to bypass certificate checks and execute commands with System privileges.

🤖 AI Analysis
How it works

The authentication mechanism in Eclipse Cyclone DDS improperly verifies the timestamp of TLS/X.509 certificates, which corresponds to CWE-298 classification (Improper Validation of Certificate Expiration). A network attacker, without requiring privileges or user interaction, can provide a certificate with an incorrect or manipulated timestamp that will be incorrectly accepted by the system. As a result, it is possible to bypass identity control mechanisms and execute arbitrary commands.

Impact

A remote, unauthenticated attacker can completely bypass certificate verification and gain the ability to execute commands with system privileges (privilege escalation to SYSTEM level), resulting in full compromise of the vulnerable DDS node.

Mitigation & patch

Eclipse Cyclone DDS should be immediately updated to version 0.10.5 or later. If an immediate update is not possible, consider isolating DDS nodes at the network level (restricting access to trusted hosts only) as a temporary measure.

Who is affected

Eclipse Cyclone DDS versions prior to 0.10.5

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Eclipse Cyclone Data Distribution Service

    APP
    Eclipse
    < 0.10.5
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-10838HIGH8.8ten sam produkt

An integer underflow during deserialization may allow any unauthenticated user to read out of bounds heap memo...

CVE-2020-18734HIGH7.5ten sam produkt

A stack buffer overflow in /ddsi/q_bitset.h of Eclipse IOT Cyclone DDS Project v0.1.0 causes the DDS subscribe...

CVE-2020-18735HIGH7.5ten sam produkt

A heap buffer overflow in /src/dds_stream.c of Eclipse IOT Cyclone DDS Project v0.1.0 causes the DDS subscribe...

CVE-2026-2586CRITICAL9.1ten sam vendor

An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Consol...

CVE-2026-2587CRITICAL9.6ten sam vendor

A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mech...