Search criteria
2 vulnerabilities found for MB-Gateway by AutomationDirect
CVE-2025-36535 (GCVE-0-2025-36535)
Vulnerability from cvelistv5 – Published: 2025-05-21 19:52 – Updated: 2025-05-22 18:49
VLAI?
Summary
The embedded web server lacks authentication and access controls, allowing unrestricted remote access. This could lead to configuration changes, operational disruption, or arbitrary code execution depending on the environment and exposed functionality.
Severity ?
10 (Critical)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| AutomationDirect | MB-Gateway |
Affected:
All
|
Credits
Souvik Kandar reported this vulnerability to AutomationDirect.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36535",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T18:47:51.761218Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T18:49:49.738Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MB-Gateway",
"vendor": "AutomationDirect",
"versions": [
{
"status": "affected",
"version": "All"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Souvik Kandar reported this vulnerability to AutomationDirect."
}
],
"datePublic": "2025-05-20T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe embedded web server lacks authentication and access controls, allowing unrestricted remote access. This could lead to configuration changes, operational disruption, or arbitrary code execution depending on the environment and exposed functionality.\u003c/span\u003e"
}
],
"value": "The embedded web server lacks authentication and access controls, allowing unrestricted remote access. This could lead to configuration changes, operational disruption, or arbitrary code execution depending on the environment and exposed functionality."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T19:52:13.068Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-09"
},
{
"url": "https://www.automationdirect.com/adc/shopping/catalog/communications/protocol_gateways/modbus_gateways/eki-1221-ce"
}
],
"source": {
"advisory": "ICSA-25-140-09",
"discovery": "EXTERNAL"
},
"tags": [
"unsupported-when-assigned"
],
"title": "AutomationDirect MB-Gateway Missing Authentication for Critical Function",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe hardware limitation of MB-Gateway does not provide for the implementation of proper access control update. AutomationDirect recommends that users plan for replacement of MB-Gateway with \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.automationdirect.com/adc/shopping/catalog/communications/protocol_gateways/modbus_gateways/eki-1221-ce\"\u003eEKI-1221-CE\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eIf an immediate replacement is not feasible, AutomationDirect recommends considering the following interim steps until the programming software can be updated:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRestrict network exposure: Ensure devices affected are not accessible from the Internet or untrusted networks. Place them behind firewalls.\u003c/li\u003e\u003cli\u003eUse dedicated, secure internal networks or air-gapped systems for communication with programmable devices.\u003c/li\u003e\u003cli\u003eControl Access: Restrict physical and logical access to authorized personnel only.\u003c/li\u003e\u003cli\u003eImplement Whitelisting: Use application whitelisting to allow only pre-approved and trusted access. Block untrusted or unauthorized applications.\u003c/li\u003e\u003cli\u003eMonitor and Log Activity: Enable logging and monitoring of system activities to detect potential anomalies or unauthorized actions. Regularly review logs for suspicious activity.\u003c/li\u003e\u003cli\u003eUse Secure Backup and Recovery: Regularly back up the workstation and its configurations to a secure location. Test recovery procedures to ensure minimal downtime in the event of an incident.\u003c/li\u003e\u003cli\u003ePlan for device replacement: Organizations should begin evaluating and migrating to supported hardware with active vendor support.\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
}
],
"value": "The hardware limitation of MB-Gateway does not provide for the implementation of proper access control update. AutomationDirect recommends that users plan for replacement of MB-Gateway with EKI-1221-CE https://www.automationdirect.com/adc/shopping/catalog/communications/protocol_gateways/modbus_gateways/eki-1221-ce .\n\nIf an immediate replacement is not feasible, AutomationDirect recommends considering the following interim steps until the programming software can be updated:\n\n * Restrict network exposure: Ensure devices affected are not accessible from the Internet or untrusted networks. Place them behind firewalls.\n * Use dedicated, secure internal networks or air-gapped systems for communication with programmable devices.\n * Control Access: Restrict physical and logical access to authorized personnel only.\n * Implement Whitelisting: Use application whitelisting to allow only pre-approved and trusted access. Block untrusted or unauthorized applications.\n * Monitor and Log Activity: Enable logging and monitoring of system activities to detect potential anomalies or unauthorized actions. Regularly review logs for suspicious activity.\n * Use Secure Backup and Recovery: Regularly back up the workstation and its configurations to a secure location. Test recovery procedures to ensure minimal downtime in the event of an incident.\n * Plan for device replacement: Organizations should begin evaluating and migrating to supported hardware with active vendor support."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-36535",
"datePublished": "2025-05-21T19:52:13.068Z",
"dateReserved": "2025-05-14T16:57:44.359Z",
"dateUpdated": "2025-05-22T18:49:49.738Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-36535 (GCVE-0-2025-36535)
Vulnerability from nvd – Published: 2025-05-21 19:52 – Updated: 2025-05-22 18:49
VLAI?
Summary
The embedded web server lacks authentication and access controls, allowing unrestricted remote access. This could lead to configuration changes, operational disruption, or arbitrary code execution depending on the environment and exposed functionality.
Severity ?
10 (Critical)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| AutomationDirect | MB-Gateway |
Affected:
All
|
Credits
Souvik Kandar reported this vulnerability to AutomationDirect.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36535",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T18:47:51.761218Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T18:49:49.738Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MB-Gateway",
"vendor": "AutomationDirect",
"versions": [
{
"status": "affected",
"version": "All"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Souvik Kandar reported this vulnerability to AutomationDirect."
}
],
"datePublic": "2025-05-20T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe embedded web server lacks authentication and access controls, allowing unrestricted remote access. This could lead to configuration changes, operational disruption, or arbitrary code execution depending on the environment and exposed functionality.\u003c/span\u003e"
}
],
"value": "The embedded web server lacks authentication and access controls, allowing unrestricted remote access. This could lead to configuration changes, operational disruption, or arbitrary code execution depending on the environment and exposed functionality."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T19:52:13.068Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-09"
},
{
"url": "https://www.automationdirect.com/adc/shopping/catalog/communications/protocol_gateways/modbus_gateways/eki-1221-ce"
}
],
"source": {
"advisory": "ICSA-25-140-09",
"discovery": "EXTERNAL"
},
"tags": [
"unsupported-when-assigned"
],
"title": "AutomationDirect MB-Gateway Missing Authentication for Critical Function",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe hardware limitation of MB-Gateway does not provide for the implementation of proper access control update. AutomationDirect recommends that users plan for replacement of MB-Gateway with \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.automationdirect.com/adc/shopping/catalog/communications/protocol_gateways/modbus_gateways/eki-1221-ce\"\u003eEKI-1221-CE\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eIf an immediate replacement is not feasible, AutomationDirect recommends considering the following interim steps until the programming software can be updated:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRestrict network exposure: Ensure devices affected are not accessible from the Internet or untrusted networks. Place them behind firewalls.\u003c/li\u003e\u003cli\u003eUse dedicated, secure internal networks or air-gapped systems for communication with programmable devices.\u003c/li\u003e\u003cli\u003eControl Access: Restrict physical and logical access to authorized personnel only.\u003c/li\u003e\u003cli\u003eImplement Whitelisting: Use application whitelisting to allow only pre-approved and trusted access. Block untrusted or unauthorized applications.\u003c/li\u003e\u003cli\u003eMonitor and Log Activity: Enable logging and monitoring of system activities to detect potential anomalies or unauthorized actions. Regularly review logs for suspicious activity.\u003c/li\u003e\u003cli\u003eUse Secure Backup and Recovery: Regularly back up the workstation and its configurations to a secure location. Test recovery procedures to ensure minimal downtime in the event of an incident.\u003c/li\u003e\u003cli\u003ePlan for device replacement: Organizations should begin evaluating and migrating to supported hardware with active vendor support.\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
}
],
"value": "The hardware limitation of MB-Gateway does not provide for the implementation of proper access control update. AutomationDirect recommends that users plan for replacement of MB-Gateway with EKI-1221-CE https://www.automationdirect.com/adc/shopping/catalog/communications/protocol_gateways/modbus_gateways/eki-1221-ce .\n\nIf an immediate replacement is not feasible, AutomationDirect recommends considering the following interim steps until the programming software can be updated:\n\n * Restrict network exposure: Ensure devices affected are not accessible from the Internet or untrusted networks. Place them behind firewalls.\n * Use dedicated, secure internal networks or air-gapped systems for communication with programmable devices.\n * Control Access: Restrict physical and logical access to authorized personnel only.\n * Implement Whitelisting: Use application whitelisting to allow only pre-approved and trusted access. Block untrusted or unauthorized applications.\n * Monitor and Log Activity: Enable logging and monitoring of system activities to detect potential anomalies or unauthorized actions. Regularly review logs for suspicious activity.\n * Use Secure Backup and Recovery: Regularly back up the workstation and its configurations to a secure location. Test recovery procedures to ensure minimal downtime in the event of an incident.\n * Plan for device replacement: Organizations should begin evaluating and migrating to supported hardware with active vendor support."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-36535",
"datePublished": "2025-05-21T19:52:13.068Z",
"dateReserved": "2025-05-14T16:57:44.359Z",
"dateUpdated": "2025-05-22T18:49:49.738Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}