CVE-2025-67109

Critical

Published: 23 December 2025

Published

23 December 2025

Modified

06 January 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0013 32.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Improper verification of the time certificate in Eclipse Cyclone DDS before v0.10.5 allows attackers to bypass certificate checks and execute commands with System privileges.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of flaws such as the improper time certificate verification in Eclipse Cyclone DDS by applying patches or upgrades to v0.10.5 or later.

SC-17 Public Key Infrastructure Certificates good match

prevent

Mandates proper management and validation of PKI certificates, including time validity checks, directly countering the certificate bypass vulnerability.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Provides vulnerability scanning and monitoring to identify the CVE-2025-67109 flaw in Cyclone DDS installations for subsequent remediation.

Security SummaryAI

CVE-2025-67109 involves improper verification of the time certificate in Eclipse Cyclone DDS versions before v0.10.5. This vulnerability, classified under CWE-298, enables attackers to bypass certificate checks. Published on 2025-12-23, it carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), marking it as critically severe.

The attack scenario targets remote networks with low complexity, requiring no privileges, user interaction, or authentication. Attackers can exploit the flaw to circumvent certificate validation, achieving remote code execution with System privileges and causing high impacts to confidentiality, integrity, and availability across a changed scope.

References point to the Eclipse website at http://eclipse.com and a GitHub Gist at https://gist.github.com/lkloliver/669e15bc7e6194133e4ee1026ce157e6, along with specific code locations in the CycloneDDS repository: src/ddsrt/src/time/posix/time.c#L28 and src/security/builtin_plugins/authentication/src/auth_utils.c#L84. These indicate the need to upgrade to v0.10.5 or later to address the improper verification.

Details

CWE(s): CWE-298

Affected Products

eclipse

cyclone data distribution service

≤ 0.10.5

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables remote, unauthenticated attackers to bypass certificate validation in Eclipse Cyclone DDS, a network-exposed service, leading directly to remote code execution, mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

http://eclipse.com
Product · cve@mitre.org
https://gist.github.com/lkloliver/669e15bc7e6194133e4ee1026ce157e6
Third Party Advisory · cve@mitre.org
https://github.com/eclipse-cyclonedds/cyclonedds/blob/master/src/ddsrt/src/time/posix/time.c#L28
Product · cve@mitre.org
https://github.com/eclipse-cyclonedds/cyclonedds/blob/master/src/security/builtin_plugins/authentication/src/auth_utils.c#L84
Product · cve@mitre.org