CVE-2025-36535 | THREATINT

Description

The embedded web server lacks authentication and access controls, allowing unrestricted remote access. This could lead to configuration changes, operational disruption, or arbitrary code execution depending on the environment and exposed functionality.

PUBLISHED Reserved 2025-05-14 | Published 2025-05-21 | Updated 2025-05-22 | Assigner icscert

CRITICAL: 10.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CRITICAL: 10.0CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-306 Missing Authentication for Critical Function

Product status

Default status

unaffected

All

affected

Credits

Souvik Kandar reported this vulnerability to AutomationDirect. finder

References

www.cisa.gov/news-events/ics-advisories/icsa-25-140-09

www.automationdirect.com/...ways/modbus_gateways/eki-1221-ce

cve.org (CVE-2025-36535)

nvd.nist.gov (CVE-2025-36535)

Download JSON