cbcvebase.
CVE-2025-36535
published 2025-05-21

CVE-2025-36535: The embedded web server lacks authentication and access controls, allowing unrestricted remote access. This could lead to configuration changes, operational…

PriorityP270critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
1.01%
58.7th percentile
The embedded web server lacks authentication and access controls, allowing unrestricted remote access. This could lead to configuration changes, operational disruption, or arbitrary code execution depending on the environment and exposed functionality.

Affected

1 ranges
VendorProductVersion rangeFixed in
automationdirectmb-gateway

Detection & IOCsextracted from sources · hover to see the quote

  • Target device is AutomationDirect MB-Gateway (all versions); detect unauthenticated HTTP requests to the embedded webserver on this device, as no authentication or access controls are enforced
  • Any remote, unauthenticated access to the MB-Gateway web interface should be treated as suspicious; monitor for configuration change requests, unexpected reboots/disruptions, or code execution attempts originating from untrusted network segments
  • Alert on MB-Gateway devices that are directly reachable from the Internet or untrusted networks; network exposure of this device is the primary exploitation prerequisite
  • ·The vulnerability is unfixable via firmware update due to a hardware limitation; all versions of MB-Gateway are permanently affected and the vendor recommends hardware replacement with EKI-1221-CE
  • ·No known public exploitation has been reported at time of advisory publication, but the CVSS v4 score is 10.0 (maximum), indicating critical risk for any internet- or network-exposed MB-Gateway device

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.