CVE-2025-10450
HIGHCVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Description
Exposure of Private Personal Information to an Unauthorized Actor vulnerability in RTI Connext Professional (Core Libraries) allows Sniffing Network Traffic.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.2.0 before 7.3.1.
Analysis
Network traffic sniffing in RTI Connext Professional 7.2.0-7.3.0 and 7.4.0-7.6.x exposes private personal information to unauthorized remote actors with low attack complexity. The vulnerability allows confidentiality breach (high impact) with limited integrity and availability impacts, affecting distributed data-sharing middleware used in critical infrastructure and industrial systems. EPSS exploitation probability is minimal (0.05%, 15th percentile) with no confirmed active exploitation or public exploit code identified at time of analysis.
Technical Context
RTI Connext Professional is a Data Distribution Service (DDS) middleware implementation used for real-time, mission-critical communications in aerospace, defense, healthcare, and industrial IoT systems. This vulnerability stems from CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor), indicating inadequate protection of sensitive data transmitted over the network layer. The affected versions span two major release branches: 7.2.0 through 7.3.0 and 7.4.0 through 7.6.x. The CVSS 4.0 vector shows network-exploitable conditions (AV:N) with low complexity (AC:L) but requires present attack conditions (AT:P), suggesting timing or environmental factors affect exploitability. The vulnerability permits unauthorized actors to intercept DDS communication streams and extract confidential information without authentication (PR:N), potentially compromising data privacy in distributed real-time systems where Connext mediates machine-to-machine communications.
Affected Products
RTI Connext Professional versions 7.2.0 through 7.3.0 and versions 7.4.0 through 7.6.x are affected by this privacy exposure vulnerability. The CPE identifiers cpe:2.3:a:rti:connext_professional indicate the commercial Connext Professional product line across both version ranges. Organizations should verify their deployed Connext Professional versions against these ranges, particularly in distributed systems handling sensitive personal information or operating in regulated environments such as medical devices, connected vehicle platforms, defense communications systems, and industrial control networks where DDS middleware manages real-time data distribution. The vendor advisory at https://www.rti.com/vulnerabilities/#cve-2025-10450 provides authoritative affected version details.
Remediation
Vendor-released patches are available: upgrade to RTI Connext Professional version 7.3.1 or later for the 7.2.x/7.3.x branch, or upgrade to version 7.7.0 or later for the 7.4.x/7.6.x branch. Organizations should consult the official RTI vulnerability advisory at https://www.rti.com/vulnerabilities/#cve-2025-10450 for patch download links, installation procedures, and compatibility notes. As an interim mitigation where immediate patching is not feasible, network segmentation can limit exposure by isolating Connext Professional communications to trusted network segments, implementing encrypted transport protocols for DDS traffic where supported, and deploying network monitoring to detect anomalous traffic patterns targeting DDS communication ports. Review and restrict network access to only authorized systems participating in DDS domains, and audit application configurations to ensure sensitive personal information is appropriately classified and protected with DDS security plugins if available in the deployment.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today