CVE-2025-8284
published 2025-08-08CVE-2025-8284: By default, the Packet Power Monitoring and Control Web Interface do not enforce authentication mechanisms. This vulnerability could allow unauthorized users…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.51%
39.5th percentile
By default, the Packet Power Monitoring and Control Web Interface do not
enforce authentication mechanisms. This vulnerability could allow
unauthorized users to access and manipulate monitoring and control
functions.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| packet_power | eg | < 4.1.0 | 4.1.0 |
| packet_power | emx | < 4.1.0 | 4.1.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated HTTP access to Packet Power EMX/EG web interface — the monitoring and control web interface does not enforce authentication by default, so any unauthenticated request reaching management endpoints is suspicious ↗
- →Flag network traffic to/from Packet Power EMX or EG devices (versions prior to 4.1.0) originating from untrusted or internet-facing sources — exploitation is remotely possible with low attack complexity and no credentials required ↗
- →Alert on unauthenticated sessions achieving full device access on Packet Power EMX/EG — successful exploitation grants full access without authentication ↗
- ·Authentication is disabled BY DEFAULT on affected devices — organizations must verify whether authentication has been explicitly enabled on all deployed EMX/EG units running firmware prior to 4.1.0 ↗
- ·No known public exploitation has been reported at time of advisory publication — but the CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation with no prerequisites ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3jvj-f4f8-9hp2: By default, the Packet Power Monitoring and Control Web Interface do not
enforce authentication mechanisms
ghsa_unreviewed·2025-08-08
CVE-2025-8284 [CRITICAL] CWE-306 GHSA-3jvj-f4f8-9hp2: By default, the Packet Power Monitoring and Control Web Interface do not
enforce authentication mechanisms
By default, the Packet Power Monitoring and Control Web Interface do not
enforce authentication mechanisms. This vulnerability could allow
unauthorized users to access and manipulate monitoring and control
functions.
CISA ICS
Packet Power EMX and EG
cisa_ics·2025-08-07·CVSS 9.8
[CRITICAL] Packet Power EMX and EG
ICS Advisory
##
Packet Power EMX and EG
Release DateAugust 07, 2025
Alert CodeICSA-25-219-05
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Packet Power
- Equipment: EMX, EG
- Vulnerability: Missing Authentication for Critical Function
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to gain full access to the device without authentication.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following Packet Power products are affected:
- EMX: Versions prior to 4.1.0
- EG: Versions prior to 4.1.0
## 3.2 VULNERABILITY OVERVIEW
## 3.2.1 MISSING AUTHENTICA
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-08-08
Published