Javiertech

By

javiertech

·

Tags:

, , ,

No Easy Fix: Understanding the Critical Flaw (CVE-2025-36535) in Your MB-Gateway

¡Oye, mi gente! Today, your amigo in cybersecurity has some news that is, how you say… caliente. We have a big problem in the world of Industrial Control Systems, or ICS. It’s about a sneaky thing called CVE-2025-36535.

This is a problem, a vulnerability, in a device named AutomationDirect MB-Gateway. And when I say big problem, I mean it. The score they give it, the CVSS score, is 10.0. ¡Eso es el máximo! The highest! It means this is super critical.

So, let’s talk simple but technical, okay?

What is This CVE-2025-36535 Animal?

Imagine you have a door to your house, but this door has no lock. Anyone can walk in, no questions. This is what happens with the AutomationDirect MB-Gateway. The problem, which technical people call CWE-306: Missing Authentication for Critical Function, is in its embedded web server. This means the part of the device you use to configure it on the network, it asks for no password, no username. Nada.

Any attacker who can find this device on the network can just walk into its configuration panel. A researcher, Souvik Kandar from Microsec, found this. Good job, Souvik!

The CVSS v3.1 and v4.0 scores are both 10.0. Let me break down why:

  • AV:N (Attack Vector: Network): They can attack from far away, over the network.
  • AC:L (Attack Complexity: Low): It’s easy to do. No fancy hacking needed.
  • PR:N (Privileges Required: None): The attacker needs no special access before.
  • UI:N (User Interaction: None): You don’t need to click on a bad email or anything.
  • S:C (Scope: Changed) / SC:H, SI:H, SA:H (Subsequent System Impact: High): This is important. If they get the gateway, they can mess with other systems connected to it. Big damage.
  • C:H, I:H, A:H (Confidentiality, Integrity, Availability: High): They can steal info, change info, and stop the device from working. All of it.

This vulnerability was made public around May 20-21, 2025. So, everyone knows now.

The Sick Device: AutomationDirect MB-Gateway

So, what is this MB-Gateway? It’s a small box, an industrial gateway module. Its job is to translate. It helps machines that speak Modbus TCP/IP (common on Ethernet networks, like your office) talk to machines that speak Modbus RTU (common on older serial lines, like RS-485). Think of it as a translator between two different languages for machines in factories.

These gateways are important. They connect the new IT world with the old OT (Operational Technology) world.

Key things about this device:

  • It connects Ethernet to serial.
  • You can configure it with software (NetEdit) or a Web Browser. The web browser part is the problem.
  • All versions of this MB-Gateway have this vulnerability. No escape.

And here is the really bad part: AutomationDirect says they cannot patch it. They say it’s a “hardware limitation.” This means the brain of the device, the little computer inside, is not strong enough to support good security like authentication. So, you can’t just update the software. This is what we call “unpatchable.” ¡Qué lío! This happens a lot in OT: devices live for many years, but technology for security moves faster.

Why This is a Big, Big Headache (The Impact)

If a bad guy gets into this MB-Gateway, many bad things can happen:

  1. Unauthorized Configuration Changes: They can change how the gateway works. Maybe change its network address (IP address) so it cannot talk, or change Modbus settings so it talks nonsense to your machines.
  2. Disruption of Modbus Communications: They can stop, change, or repeat the messages between your control systems (like SCADA) and your field devices (like PLCs, sensors).
    • Loss of View: Operators can’t see what’s happening in the factory.
    • Loss of Control: Operators can’t send commands to the machines.
    • Manipulation of Process: Attackers can send their own commands! Change temperatures, pressures, speeds. This can break equipment, make bad products, or even cause safety problems. ¡Muy peligroso!
  3. Information Leakage: The attacker can see all the configurations. Network details, what devices are connected. This is gold for planning more attacks.
  4. Potential for Arbitrary Code Execution (ACE): Maybe, just maybe, they can make the gateway run their own bad software. Then the gateway becomes a spy inside your network.
  5. Denial of Service (DoS): They can make the gateway crash or stop working.

CISA (the Cybersecurity and Infrastructure Security Agency in the US) says these devices are used worldwide, in Critical Manufacturing and other important places. Imagine a power plant or water treatment facility.

And guess what? The researcher said more than 100 of these devices are directly on the internet! This is like leaving the key to your factory under the welcome mat. Anyone can try to open the door.

What the Vendor and CISA Say

AutomationDirect was honest. They released an advisory (SA-00046) and said, yes, CVSS 10.0, no authentication, and because of hardware, we cannot patch. Their main advice? Replace the MB-Gateway with their EKI-1221-CE model. This new model, we hope, is more secure.

CISA also released an advisory (ICSA-25-140-09). They agree, it’s bad. At the time, they said no one was attacking this yet. But with a 10.0 score and easy exploit, you can bet the bad guys are looking now.

So, What Do We Do, Compañeros?

This is serious, so action is needed.

  1. THE BEST THING: Replace the device. AutomationDirect says use the EKI-1221-CE. This costs money, yes. It takes time to change, yes. But it’s the only real fix.
  2. IF YOU CANNOT REPLACE NOW (Interim Mitigations):
    • GET IT OFF THE INTERNET! This is number one. No industrial device like this should be facing the public internet.
    • Use Firewalls: Put a strong firewall in front of it. Only allow the exact IP addresses and Modbus traffic that must talk to it. Deny everything else.
    • Network Segmentation: Keep these devices on their own isolated network segment. Don’t mix them with your office computers or guest Wi-Fi.
    • Secure Remote Access: If you must access it from far away, use a VPN (Virtual Private Network). And make sure your VPN is updated! But remember, a VPN gets you to the network. If the gateway is on that network with no password, anyone on the VPN can still get to it. So, more firewalls inside might be needed.
    • Monitor: Watch the network traffic. Look for strange activity.
    • Backups: Keep backups of the configuration. Test if you can restore it.

Bigger Lessons for Our ICS/OT World

This story with CVE-2025-36535 is not just about one device. It teaches us some big things:

  • Old Devices, New Problems: Many OT devices are old. They were built when cybersecurity was not a big worry. This “unpatchable” problem will happen again. We need to think about security when we buy new stuff, not just how cheap it is.
  • Internet is Not Your Friend (for ICS): Connecting industrial systems directly to the internet is asking for trouble. We need better network hygiene. Know what you have, where it is, and who can talk to it.
  • Modbus is Old School: The Modbus protocol itself has no security. No passwords, no encryption. When a gateway to Modbus is weak, the whole system is weak. We need to move to secure protocols or be very, very careful.
  • Security From the Start (Secure-by-Design): Vendors need to build security into their products from the first idea. Not add it later like a patch.
  • Defense-in-Depth: This is key. One security measure is not enough. You need layers: firewalls, segmentation, monitoring, good passwords (where you can use them!), and training for your people.

My Final Words

¡Amigos! CVE-2025-36535 is a wake-up call. A CVSS 10.0 vulnerability that is unpatchable on a common industrial gateway is serious business.

If you use AutomationDirect MB-Gateway devices:

  1. Identify them. Now.
  2. Plan to replace them. Fast.
  3. If you can’t replace today, use all the interim mitigations. All of them. Especially get them off the internet and behind good firewalls.

This is not just about this one gateway. It’s about how we protect our factories, our power, our water – our critical infrastructure. The old way of “if it’s working, don’t touch it” is not good for cybersecurity. We need to be proactive.

Stay safe, stay vigilant, and let’s make our industrial world more secure. ¡Hasta la próxima!

Leave a comment