NXP Semiconductors MQX RTOS (Update A)

Act Now8.1ICS-CERT ICSA-17-285-04AOct 12, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

NXP MQX RTOS contains buffer overflow and out-of-bounds read vulnerabilities (CWE-120, CWE-125) in versions 4.1 and earlier, and 5.0. These vulnerabilities are remotely exploitable with low skill level to exploit, affecting devices running MQX RTOS across industrial and embedded applications.

What this means

What could happen

An attacker could remotely execute arbitrary code on devices running MQX RTOS without authentication, potentially taking control of embedded control systems or data acquisition devices in operational environments.

Who's at risk

This affects embedded devices and industrial equipment using NXP MQX RTOS as their operating system, including microcontroller-based controllers, data loggers, IoT devices, and legacy embedded systems in water treatment, electric utilities, and manufacturing environments.

How it could be exploited

An attacker with network access to a device running vulnerable MQX RTOS could send a crafted packet that triggers a buffer overflow or out-of-bounds memory access, allowing code execution on the target device.

Prerequisites

Network access to the affected device
Device must be running MQX RTOS version 4.1 or earlier, or version 5.0

remotely exploitableno authentication requiredlow complexityhigh EPSS score (>10%)no patch available

Exploitability

High exploit probability (EPSS 25.8%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

MQX RTOS:≤ 4.1No fix (EOL)

MQX RTOS:≤ 5.0No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIdentify all devices using MQX RTOS 4.1 or earlier, and 5.0 in your network and document them

HARDENINGImplement network segmentation to isolate devices running MQX RTOS from direct internet and untrusted network access

WORKAROUNDDeploy firewall rules to restrict network traffic to only necessary ports and protocols for legitimate device communication

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor for suspicious network activity targeting MQX RTOS devices and log all connections

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: MQX RTOS:, MQX RTOS:. Apply the following compensating controls:

HARDENINGEvaluate migration path to alternative RTOS or upgrade to a patched version when available from NXP

CVEs (2)

CVE-2017-12718 CVE-2017-12722

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0c2878a1-78a1-41de-bc68-cfd390256974