CVE-ID: CVE-2025-67109 PRODUCT: Eclipse Cyclone DDS - affected from 0 before 0.10.5 TYPE: CWE-298: Improper Validation of Certificate Expiration DESCRIPTION: Improper verification of the time certificate in Eclipse Cyclone DDS before v0.10.5 allows attackers to bypass certificate checks. DETAILS: CycloneDDS uses manipulable system time instead of trusted time sources during certificate verification, which can bypass certificate expiration checks. The vulnerability lies in the dds_time function in time.c, which uses clock_gettime (CLOCK_RELETIME) to obtain the system wall clock time, which can be modified by a user with appropriate permissions or through system level attacks. In the get_certificates_expiry and check_certificates_expiry functions of auth_utils.c, certificate validation depends on the time returned by dds_time(), and OpenSSL's X509_cmp_current. attacks changing the system clock to display expired certificates as valid or future certificates as currently valid, allowing users to bypass certificate expiration verification resulting in the failure of identity authentication and access control mechanisms. MORE: https://github.com/lkoliver/poc/tree/main/CVE-2025-67109