CVE-2025-36535
published 2025-05-21CVE-2025-36535: The embedded web server lacks authentication and access controls, allowing unrestricted remote access. This could lead to configuration changes, operational…
PriorityP270critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
1.01%
58.7th percentile
The embedded web server lacks authentication and access controls, allowing unrestricted remote access. This could lead to configuration changes, operational disruption, or arbitrary code execution depending on the environment and exposed functionality.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| automationdirect | mb-gateway | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Target device is AutomationDirect MB-Gateway (all versions); detect unauthenticated HTTP requests to the embedded webserver on this device, as no authentication or access controls are enforced ↗
- →Any remote, unauthenticated access to the MB-Gateway web interface should be treated as suspicious; monitor for configuration change requests, unexpected reboots/disruptions, or code execution attempts originating from untrusted network segments ↗
- →Alert on MB-Gateway devices that are directly reachable from the Internet or untrusted networks; network exposure of this device is the primary exploitation prerequisite ↗
- ·The vulnerability is unfixable via firmware update due to a hardware limitation; all versions of MB-Gateway are permanently affected and the vendor recommends hardware replacement with EKI-1221-CE ↗
- ·No known public exploitation has been reported at time of advisory publication, but the CVSS v4 score is 10.0 (maximum), indicating critical risk for any internet- or network-exposed MB-Gateway device ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8jmx-gwp7-3j43: The embedded web server lacks authentication and access controls, allowing unrestricted remote access
ghsa_unreviewed·2025-05-21
CVE-2025-36535 [CRITICAL] CWE-306 GHSA-8jmx-gwp7-3j43: The embedded web server lacks authentication and access controls, allowing unrestricted remote access
The embedded web server lacks authentication and access controls, allowing unrestricted remote access. This could lead to configuration changes, operational disruption, or arbitrary code execution depending on the environment and exposed functionality.
CISA ICS
AutomationDirect MB-Gateway
cisa_ics·2025-05-20·CVSS 10.0
[CRITICAL] AutomationDirect MB-Gateway
ICS Advisory
##
AutomationDirect MB-Gateway
Release DateMay 20, 2025
Alert CodeICSA-25-140-09
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 10.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: AutomationDirect
- Equipment: MB-Gateway
- Vulnerability: Missing Authentication For Critical Function
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to make configuration changes, disrupt operations, or achieve arbitrary code execution.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following AutomationDirect product is affected:
- MB-Gateway: All Versions
## 3.2 VULNERABILITY OVERVIEW
## 3.2.1 MISSING AUTH
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-05-21
Published