Critical vulnerabilities in Microsens’ NMP Web+ network management platform have been discovered that allow unauthenticated attackers to remotely compromise industrial control systems. These flaws enable full system takeover through authentication bypass and arbitrary code execution, affecting versions 3.2.5 and earlier on both Windows and Linux platforms.
CVE-2025-49151: Authentication Bypass (CVSS 9.1)
A hardcoded JSON Web Token (JWT) secret enables attackers to forge valid authentication tokens. This allows complete bypass of login requirements without credentials, granting unauthorized system access.
CVE-2025-49153: Remote Code Execution (CVSS 9.8)
Exploiting path traversal vulnerabilities, attackers can overwrite critical system files and execute malicious code. This flaw permits unauthenticated remote takeover of the host operating system.
CVE-2025-49152: Persistent Access (CVSS 7.5)
Non-expiring JWTs enable indefinite system access once a token is obtained. Attackers maintain persistent control even after initial compromise.
Attack Chaining and Impact
To add insult to injury, researchers found that these vulnerabilities are chainable:
1. Forged tokens (CVE-2025-49151) grant initial access
2. Non-expiring tokens (CVE-2025-49152) ensure persistence
3. Path traversal (CVE-2025-49153) enables full system compromise
This sequence allows complete remote control of industrial switches and network equipment managed by MP Web+.
Affected Products and Mitigation
• Impacted versions: NMP Web+ ≤ v3.2.5
• Solution: Microsens released v3.3.0 to patch all vulnerabilities. CISA mandates immediate updates, access log reviews, and token revocation.
