cbcvebase.
CVE-2025-8284
published 2025-08-08

CVE-2025-8284: By default, the Packet Power Monitoring and Control Web Interface do not enforce authentication mechanisms. This vulnerability could allow unauthorized users…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.51%
39.5th percentile
By default, the Packet Power Monitoring and Control Web Interface do not enforce authentication mechanisms. This vulnerability could allow unauthorized users to access and manipulate monitoring and control functions.

Affected

2 ranges
VendorProductVersion rangeFixed in
packet_powereg< 4.1.04.1.0
packet_poweremx< 4.1.04.1.0

Detection & IOCsextracted from sources · hover to see the quote

  • Detect unauthenticated HTTP access to Packet Power EMX/EG web interface — the monitoring and control web interface does not enforce authentication by default, so any unauthenticated request reaching management endpoints is suspicious
  • Flag network traffic to/from Packet Power EMX or EG devices (versions prior to 4.1.0) originating from untrusted or internet-facing sources — exploitation is remotely possible with low attack complexity and no credentials required
  • Alert on unauthenticated sessions achieving full device access on Packet Power EMX/EG — successful exploitation grants full access without authentication
  • ·Authentication is disabled BY DEFAULT on affected devices — organizations must verify whether authentication has been explicitly enabled on all deployed EMX/EG units running firmware prior to 4.1.0
  • ·No known public exploitation has been reported at time of advisory publication — but the CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation with no prerequisites

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.