CVE-2025-67108
Unknown Unknown - Not Provided
Improper Validation in eProsima Fast-DDS v3.3 Enables Insecure Connections

Publication date: 2025-12-23

Last updated on: 2025-12-23

Assigner: MITRE

Description
eProsima Fast-DDS v3.3 was discovered to contain improper validation for ticket revocation, resulting in insecure communications and connections.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-23
Last Modified
2025-12-23
Generated
2026-06-16
AI Q&A
2025-12-23
EPSS Evaluated
2026-06-14
NVD
CVE-2025-67108
EUVD
EUVD-2025-204854
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
eprosima fast-dds 3.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-298 A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.
CWE-370 The product does not check the revocation status of a certificate after its initial revocation check, which can cause the product to perform privileged actions even after the certificate is revoked at a later time.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-67108 affects eProsima Fast-DDS version 3.3 and involves improper validation of certificate expiration and missing checks for certificate revocation after the initial validation. The vulnerability lies in the certificate expiration validation process, which is only performed during the initial handshake phase. After the connection is established and permissions are granted, Fast-DDS v3.3 does not perform ongoing certificate expiration checks. This allows attackers to exploit certificates that have expired by maintaining communication even after expiration, bypassing security policies and access controls, and undermining the certificate authentication mechanism. [2]

Impact Analysis

This vulnerability can lead to insecure communications and unauthorized access because attackers can maintain connections using expired certificates. It undermines the security policies and access controls of Fast-DDS, potentially allowing attackers to bypass authentication mechanisms and gain unauthorized access to systems or data. [2]

Compliance Impact

This vulnerability can cause potential compliance violations because it undermines certificate authentication mechanisms and security policies that are often required by standards and regulations such as GDPR and HIPAA to protect sensitive data and ensure secure communications. [2]

Detection Guidance

This vulnerability can be detected by monitoring for connections that continue to communicate using certificates that have expired after the initial handshake. Since Fast-DDS v3.3 does not perform ongoing certificate expiration checks, you can inspect TLS/SSL sessions to identify certificates that are no longer valid but still active. Commands such as `openssl s_client -connect <host>:<port> -showcerts` can be used to retrieve and inspect certificates on the server side. Additionally, network traffic analysis tools like Wireshark can be used to capture and analyze TLS handshakes and certificate validity periods. However, there are no specific built-in commands in Fast-DDS to detect this vulnerability automatically. [2]

Mitigation Strategies

Immediate mitigation steps include upgrading eProsima Fast-DDS to a version later than 3.3 where this certificate validation issue is fixed. If an upgrade is not immediately possible, implement external monitoring and enforcement of certificate validity, such as revoking compromised or expired certificates at the certificate authority level and blocking connections using expired certificates at the network perimeter. Additionally, consider restricting network access to trusted clients and enforcing strict certificate management policies to reduce the risk of unauthorized access due to this vulnerability. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67108. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart