CVE-2025-36535

Published May 21, 2025

Last updated a month ago

CVSS critical 10.0

Overview

Description
The embedded web server lacks authentication and access controls, allowing unrestricted remote access. This could lead to configuration changes, operational disruption, or arbitrary code execution depending on the environment and exposed functionality.
Source
ics-cert@hq.dhs.gov
NVD status
Awaiting Analysis
CNA Tags
unsupported-when-assigned

Risk scores

CVSS 4.0

Type
Secondary
Base score
10
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
CRITICAL

CVSS 3.1

Type
Secondary
Base score
10
Impact score
6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

ics-cert@hq.dhs.gov
CWE-306

Social media

Hype score
Not currently trending

  1. Actively exploited CVE : CVE-2025-36535

    @transilienceai

    23 May 2025

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. More than 100 AutomationDirect MB-Gateway devices may be vulnerable to attacks from the internet due to CVE-2025-36535. Read more: https://t.co/QqwyS1H86U #TheWorldwideThreat #TWWTPodcast #Hacking #CyberThreat #News

    @WThreat59380

    22 May 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. ⚡️The vulnerability details are now available: https://t.co/YZANxqF1mM 🚨🚨CVE-2025-36535 (CVSS: 10) hits AutomationDirect MB-Gateway HARD! No authentication needed for remote access to critical functions. Attackers can tamper configs, disrupt ops, or even execute arbit

    @zoomeye_team

    22 May 2025

    328 Impressions

    0 Retweets

    2 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  4. 産業用自動化機器メーカーAutomationDirectのMB-Gateway製品に、インターネット経由でも悪用可能な重大な脆弱性(CVE-2025-36535)が存在するとCISAが発表した。 組み込みWebサーバに認証が存在しないため、誰でも設定

    @yousukezan

    21 May 2025

    726 Impressions

    0 Retweets

    2 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  5. [CVE-2025-36535: CRITICAL] Unsecured embedded web servers pose significant cyber threats by granting unauthorized remote access, potentially causing critical system compromise or data breaches. #CyberSecurity#cve,CVE-2025-36535,#cybersecurity https://t.co/WO8U3ueRE2 https://t.co/

    @CveFindCom

    21 May 2025

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.