Zurück zur Übersicht

ads-tec Industrial IT: Mosquitto MQTT Client Vulnerability in ADS-TEC IRF Products

VDE-2025-033
Last update
14.04.2025 12:00
Published at
14.04.2025 12:00
Vendor(s)
ads-tec Industrial IT GmbH
External ID
VDE-2025-033
CSAF Document
Download

Summary

The ADS-TEC firewall products IRF1000, IRF2000, and IRF3000 include Eclipse Mosquitto, affected by multiple vulnerabilities. Exploitation requires a compromised upstream MQTT broker, limiting direct device exposure.

Impact

Exploitation could result in denial-of-service (DoS) or Mosquitto crashes. Remote code execution (RCE) is theoretically possible but mitigated by security hardening and user-level process isolation.

Affected Product(s)

Model no. Product name Affected versions
DVG-IRF1401 Firmware <2.1.0
DVG-IRF1421 Firmware <2.1.0
DVG-IRF2100 Firmware <6.1.0
DVG-IRF2200 Firmware <6.1.0
DVG-IRF2220 Firmware <6.1.0
DVG-IRF2601 Firmware <6.1.0
DVG-IRF2621 Firmware <6.1.0
DVG-IRF3401 Firmware <2.1.0
DVG-IRF3421 Firmware <2.1.0
DVG-IRF3801 Firmware <2.1.0
DVG-IRF3821 Firmware <2.1.0

Vulnerabilities

Expand / Collapse all

Published
22.09.2025 14:57
Severity
9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
Heap-based Buffer Overflow (CWE-122)
Summary

In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet
with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its
on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr clients.

References
cve.org | nvd.nist.gov

Published
22.09.2025 14:57
Severity
7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness
Use After Free (CWE-416)
Summary

In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heapuse-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE"
and "PUBLISH" packets

References
cve.org | nvd.nist.gov

Published
22.09.2025 14:57
Severity
6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weakness
Double Free (CWE-415)
Summary

In Eclipse Mosquito, versions from 2.0.0 through 2.0.18, if a Mosquitto broker is configured to create an outgoing
bridge connection, and that bridge connection has an incoming topic configured that makes use of topic remapping, then if the remote connection sends a crafted PUBLISH packet to the broker a double free will occur
with a subsequent crash of the broker.

References
cve.org | nvd.nist.gov

Mitigation

Disable MQTT publishing or ensure connections are made only to trusted and TLS-secured MQTT brokers.

Remediation

Update to firmware IRF1000 v2.1.0, IRF2000 v6.1.0, IRF3000 v2.1.0 or later.

Revision History

Version Date Summary
1 14.04.2025 12:00 Initial revision