P-Net Profinet stack now even more robust
In May 2025, Nozomi Networks Labs ran an extensive fuzz testing campaign against P-Net version 1.0.1, our open-source C implementation of the PROFINET protocol. This in-depth analysis uncovered 10 memory corruption vulnerabilities, all associated with UDP-based RPC handling.
The vulnerabilities included heap-based buffer overflows, out-of-bounds reads and writes, null pointer dereferencing, and unchecked loop conditions. These types of flaws can lead to device crashes or denial-of-service in industrial systems. For example, CVE‑2025‑32399 could force an IO device into an infinite CPU-consuming loop, and CVE‑2025‑32405 could overwrite memory buffers, rendering devices unresponsive.
To uncover these issues, Nozomi’s team developed two types of fuzzing harnesses: one focused on feeding individual UDP packets via stdin, and another that simulated an established session to test deeper protocol behavior. The campaign targeted UDP-RPC ports 34964 and 49155, mirroring real-world attack vectors and emphasizing the need for state-aware fuzzing in industrial stacks.
Immediate action and ongoing improvements
All reported vulnerabilities have been resolved in P-Net version 1.0.2, released on April 28, 2025. Additionally, we have integrated fuzz testing with libFuzzer as a permanent part of our CI pipeline. This strengthens our ability to detect memory safety issues early and helps safeguard against regressions in future releases.
Why this matters
PROFINET IO devices, such as sensors, actuators, and controllers, are foundational to industrial automation systems across sectors like manufacturing, energy, and transportation. Vulnerabilities in the protocol stack can open the door to crashes, resource exhaustion, and service disruption — all of which carry significant operational and safety risks.
By acting quickly and transparently, RT-Labs not only resolved the issues but also improved long-term resilience. Our customers can rely on P-Net for continued performance in the most demanding environments.
What you should do
We strongly recommend upgrading to P-Net version 1.0.2 to eliminate the vulnerabilities described. To stay informed on future advisories, visit our security advisories page. For commercial support, please contact us at sales@rt-labs.com.