cbcvebase.
CVE-2025-49153
published 2025-06-25

CVE-2025-49153: The affected products could allow an unauthenticated attacker to overwrite files and execute arbitrary code.

PriorityP262critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.66%
47.0th percentile
The affected products could allow an unauthenticated attacker to overwrite files and execute arbitrary code.

Affected

1 ranges
VendorProductVersion rangeFixed in
microsensnmp_web<= Version 3.2.5

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2025-49153 is a path traversal (CWE-22) vulnerability in MICROSENS NMP Web+ allowing unauthenticated file overwrite and arbitrary code execution — detect unauthenticated HTTP requests containing path traversal sequences (e.g., '../') targeting the NMP Web+ application endpoint
  • CVE-2025-49153 is chained with CVE-2025-49151 (hard-coded JWT secret enabling forged tokens) and CVE-2025-49152 (non-expiring JWTs) — monitor for JWT authentication bypass attempts (malformed or forged JWT tokens) against NMP Web+ followed by file-write or code-execution activity
  • Affected product scope: MICROSENS NMP Web+ Version 3.2.5 and prior — flag any internet-exposed instances of this product version as high-priority targets
  • ·No public exploitation has been reported as of the advisory publication date; no concrete IOCs (hashes, IPs, domains, exploit URLs) are present in the available sources
  • ·The path traversal vulnerability (CVE-2025-49153) is unauthenticated, meaning exploitation does not require a valid session — detection logic should not filter on authentication state
  • ·JWTs issued by NMP Web+ 3.2.5 and prior do not expire, meaning captured tokens remain valid indefinitely and cannot be invalidated by session timeout controls
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.