CVE-2025-67108
Improper Validation in eProsima Fast-DDS v3.3 Enables Insecure Connections
Publication date: 2025-12-23
Last updated on: 2025-12-23
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eprosima | fast-dds | 3.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-370 | The product does not check the revocation status of a certificate after its initial revocation check, which can cause the product to perform privileged actions even after the certificate is revoked at a later time. |
| CWE-298 | A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-67108 affects eProsima Fast-DDS version 3.3 and involves improper validation of certificate expiration and missing checks for certificate revocation after the initial validation. The vulnerability lies in the certificate expiration validation process, which is only performed during the initial handshake phase. After the connection is established and permissions are granted, Fast-DDS v3.3 does not perform ongoing certificate expiration checks. This allows attackers to exploit certificates that have expired by maintaining communication even after expiration, bypassing security policies and access controls, and undermining the certificate authentication mechanism. [2]
How can this vulnerability impact me? :
This vulnerability can lead to insecure communications and unauthorized access because attackers can maintain connections using expired certificates. It undermines the security policies and access controls of Fast-DDS, potentially allowing attackers to bypass authentication mechanisms and gain unauthorized access to systems or data. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can cause potential compliance violations because it undermines certificate authentication mechanisms and security policies that are often required by standards and regulations such as GDPR and HIPAA to protect sensitive data and ensure secure communications. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for connections that continue to communicate using certificates that have expired after the initial handshake. Since Fast-DDS v3.3 does not perform ongoing certificate expiration checks, you can inspect TLS/SSL sessions to identify certificates that are no longer valid but still active. Commands such as `openssl s_client -connect <host>:<port> -showcerts` can be used to retrieve and inspect certificates on the server side. Additionally, network traffic analysis tools like Wireshark can be used to capture and analyze TLS handshakes and certificate validity periods. However, there are no specific built-in commands in Fast-DDS to detect this vulnerability automatically. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading eProsima Fast-DDS to a version later than 3.3 where this certificate validation issue is fixed. If an upgrade is not immediately possible, implement external monitoring and enforcement of certificate validity, such as revoking compromised or expired certificates at the certificate authority level and blocking connections using expired certificates at the network perimeter. Additionally, consider restricting network access to trusted clients and enforcing strict certificate management policies to reduce the risk of unauthorized access due to this vulnerability. [2]