Eclipse Cyclone DDS CVE-2025-67109
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Network-reachable, low-complexity, unauthenticated certificate bypass (PR:N is the point of the flaw); S:U retained absent evidence of a cross-authority scope change, with high C/I/A per the stated impact.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper verification of the time certificate in Eclipse Cyclone DDS before v0.10.5 allows attackers to bypass certificate checks and execute commands with System privileges.
AnalysisAI
Certificate-validation bypass in Eclipse Cyclone DDS before 0.10.5 lets unauthenticated network attackers defeat the DDS Security authentication plugin's certificate checks, and per the advisory execute commands with System privileges. The flaw stems from improper verification of certificate time/expiration (CWE-298), meaning expired or otherwise time-invalid certificates can be accepted as valid, enabling impersonation of trusted DDS participants. The EPSS score is low (0.30%, 22nd percentile) and there is no CISA KEV listing, so despite the maximal 10.0 CVSS there is no confirmed active exploitation at time of analysis.
Technical ContextAI
DDS (Data Distribution Service) is an OMG publish/subscribe middleware standard for real-time and distributed systems; Eclipse Cyclone DDS is a widely used open-source implementation and the default middleware (RMW) layer for ROS 2 robotics stacks. The DDS Security specification defines an authentication plugin that uses X.509 certificates to mutually authenticate participants before they join a secure domain - the referenced source (src/security/builtin_plugins/authentication/src/auth_utils.c) is where certificate handling occurs, and src/ddsrt/src/time/posix/time.c handles the time primitives used for validity checks. CWE-298 (Improper Validation of Certificate Expiration) is the root-cause class: the code fails to correctly compare the certificate's notBefore/notAfter validity window against current time, so an expired or time-manipulated certificate passes validation, breaking the trust anchor that gates domain membership.
RemediationAI
Vendor-released patch: upgrade Eclipse Cyclone DDS to version 0.10.5 or later, which corrects the certificate time/expiration validation. Because the fix version is inferred from the NVD 'before v0.10.5' phrasing rather than a linked release advisory, confirm the exact patched tag against the eclipse-cyclonedds/cyclonedds repository release notes before rolling out. If immediate patching is not possible, reduce exposure by restricting network reachability of DDS discovery and data ports to trusted segments (isolate the DDS domain on a dedicated VLAN or via firewall rules) so untrusted hosts cannot present certificates to the authentication plugin, accepting the trade-off that this breaks any legitimate cross-segment participants; additionally, tightly manage and short-rotate the CA-issued participant certificates and monitor for participants presenting expired certificates, though these are detective rather than preventive controls. Reference source files: https://github.com/eclipse-cyclonedds/cyclonedds/blob/master/src/security/builtin_plugins/authentication/src/auth_utils.c#L84 and https://github.com/eclipse-cyclonedds/cyclonedds/blob/master/src/ddsrt/src/time/posix/time.c#L28.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today