CVE-2025-30519
published 2025-09-18CVE-2025-30519: Dover Fueling Solutions ProGauge MagLink LX4 Devices have default root credentials that cannot be changed through standard administrative means. An attacker…
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.41%
32.5th percentile
Dover Fueling Solutions ProGauge MagLink LX4 Devices have default root credentials that cannot be changed through standard
administrative means. An attacker with network access to the device can
gain administrative access to the system.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dover_fueling_solutions | progauge_maglink_lx_4 | < 4.20.3 | 4.20.3 |
| dover_fueling_solutions | progauge_maglink_lx_plus | < 4.20.3 | 4.20.3 |
| dover_fueling_solutions | progauge_maglink_lx_ultimate | < 5.20.3 | 5.20.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect network access attempts to ProGauge MagLink LX4 devices using default root credentials, which cannot be changed through standard administrative means ↗
- →Monitor for administrative logins to ProGauge MagLink LX4/LX4 Plus/LX4 Ultimate devices from unexpected or external network sources, especially on internet-exposed devices ↗
- ·Default root credentials are hardcoded and cannot be changed through standard administrative means, meaning credential rotation is not a viable mitigation for CVE-2025-30519 — patching to a fixed firmware version is required ↗
- ·No known public exploitation has been reported at time of advisory publication, but the vulnerability is remotely exploitable with low attack complexity (CVSS v4 9.3) ↗
- ·The advisory covers three distinct CVEs on the same device family; CVE-2025-30519 (default credentials) is separate from CVE-2025-54807 (hardcoded JWT signing key) and CVE-2025-55068 (integer overflow/DoS) — all three should be remediated together via firmware update ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Dover Fueling Solutions ProGauge MagLink LX4 Devices
cisa_ics·2025-09-18·CVSS 8.2
[HIGH] Dover Fueling Solutions ProGauge MagLink LX4 Devices
ICS Advisory
##
Dover Fueling Solutions ProGauge MagLink LX4 Devices
Release DateSeptember 18, 2025
Alert CodeICSA-25-261-07
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/Low attack complexity
- Vendor: Dover Fueling Solutions
- Equipment: ProGauge MagLink LX4, ProGauge MagLink LX4 Plus, ProGauge MagLink LX4 Ultimate
- Vulnerabilities: Integer Overflow or Wraparound, Use of Hard-coded Cryptographic Key, Use of Weak Credentials
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in a remote attacker causing a denial-of-service condition or gaining administrative access to the device.
## 3. TECHNICAL DE
GHSA
GHSA-3fgm-3m4r-2x8g: Dover Fueling Solutions ProGauge MagLink LX4 Devices have default root credentials that cannot be changed through standard
administrative means
ghsa_unreviewed·2025-09-18
CVE-2025-30519 [CRITICAL] CWE-1391 GHSA-3fgm-3m4r-2x8g: Dover Fueling Solutions ProGauge MagLink LX4 Devices have default root credentials that cannot be changed through standard
administrative means
Dover Fueling Solutions ProGauge MagLink LX4 Devices have default root credentials that cannot be changed through standard
administrative means. An attacker with network access to the device can
gain administrative access to the system.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-09-18
Published