CVE-2025-49152
published 2025-06-25CVE-2025-49152: The affected products contain JSON Web Tokens (JWT) that do not expire, which could allow an attacker to gain access to the system.
PriorityP349high8.7CVSS 4.0
AVNACLATNPRNUINVCNVIHVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.45%
35.8th percentile
The affected products contain JSON Web Tokens (JWT) that do not expire, which could allow an attacker to gain access to the system.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsens | nmp_web | <= Version 3.2.5 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
MICROSENS NMP Web+
cisa_ics·2025-06-24·CVSS 9.3
[CRITICAL] MICROSENS NMP Web+
ICS Advisory
##
MICROSENS NMP Web+
Release DateJune 24, 2025
Alert CodeICSA-25-175-07
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/Low attack complexity
- Vendor: MICROSENS
- Equipment: NMP Web+
- Vulnerabilities: Use of Hard-coded, Security-relevant Constants, Insufficient Session Expiration, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to gain system access, overwrite files or execute arbitrary code.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of NMP Web+ are affected:
- N
GHSA
GHSA-hv2j-4g9f-chqp: MICROSENS NMP Web+ contain JSON Web Tokens (JWT) that do not expire, which could allow an attacker to gain access to the system
ghsa_unreviewed·2025-06-26
CVE-2025-49152 [HIGH] CWE-613 GHSA-hv2j-4g9f-chqp: MICROSENS NMP Web+ contain JSON Web Tokens (JWT) that do not expire, which could allow an attacker to gain access to the system
MICROSENS NMP Web+ contain JSON Web Tokens (JWT) that do not expire, which could allow an attacker to gain access to the system.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-06-25
Published