Improper Certificate Validation in Fast DDS - CVE-2025-24807
Published: February 11, 2025 / Updated: April 9, 2026
Vulnerability identifier: #VU125724
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-24807
CWE-ID: CWE-295
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: eProsima
Affected software:
Fast DDS
Fast DDS
Detailed vulnerability description
The vulnerability allows a local user to accept governance or permissions from an expired permissions certificate authority.
The vulnerability exists due to improper certificate validation in the access control plugin when validating S/MIME-signed governance or permissions data. A local user can provide data signed by an expired permissions certificate authority to accept governance or permissions from an expired permissions certificate authority.
The permissions certificate authority chain is not fully validated, and the issue also affects deployments where the permissions certificate authority is not self-signed and includes the full certificate chain.
How to mitigate CVE-2025-24807
Install security update from vendor's website.