AutomationDirect’s MB-Gateway devices, widely deployed in critical infrastructure, are affected by a maximum-severity missing authentication vulnerability (CVE-2025-36535), enabling remote intrusions without credentials. Over 100 internet-exposed instances risk compromise, exposing sensitive device parameters including internal IPs, firmware versions, Modbus configurations, and serial communication settings via an unsecured embedded web interface. The flaw, discovered by Microsec researcher Souvik Kandar, stems from inadequate authentication, allowing attackers to remotely access the configuration panel through a standard internet connection. Mitigation is limited, as hardware restrictions prevent access control updates; affected organizations are advised to replace vulnerable devices with the EKI-1221-CE gateway. The Cybersecurity and Infrastructure Security Agency (CISA) has warned of potential operational disruptions in industrial environments, where compromised gateways could facilitate lateral movement, data exfiltration, or sabotage of automated processes in sectors like energy, manufacturing, or water treatment.
AutomationDirect cybersecurity rating report: https://www.rankiteo.com/company/automationdirect
"id": "AUT3621036112625",
"linkid": "automationdirect",
"type": "Vulnerability",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Organizations using MB-Gateway '
'devices in critical '
'infrastructure',
'industry': ['Industrial Automation',
'Critical Infrastructure'],
'location': 'Global (devices deployed worldwide)',
'name': 'AutomationDirect',
'type': 'Private Company'}],
'attack_vector': ['Network', 'Remote Exploitation via Embedded Web Interface'],
'customer_advisories': ['AutomationDirect replacement recommendation'],
'data_breach': {'data_exfiltration': 'Possible (via exposed web interface)',
'file_types_exposed': ['Configuration Files',
'Log Files (potential)'],
'sensitivity_of_data': 'High (critical infrastructure '
'operational details)',
'type_of_data_compromised': ['Device Configuration Data',
'Network Parameters']},
'description': "Industrial automation firm AutomationDirect's MB-Gateway "
'devices, used in critical infrastructure globally, are '
'affected by a maximum-severity missing authentication '
'vulnerability (CVE-2025-36535). The flaw, discovered by '
'Microsec researcher Souvik Kandar, allows remote intrusions '
'via uncredentialed access to the embedded web interface, '
'exposing sensitive device parameters (e.g., internal IPs, '
'firmware versions, Modbus configurations). Over 100 '
'internet-exposed instances are at risk. CISA notes hardware '
'limitations prevent patching, recommending replacement with '
'the EKI-1221-CE gateway.',
'impact': {'brand_reputation_impact': 'High (due to critical infrastructure '
'exposure and unpatchable hardware)',
'data_compromised': ['Internal IPs',
'Firmware Versions',
'Modbus Configuration',
'Serial Communication Settings'],
'operational_impact': 'Potential disruption to critical '
'infrastructure operations due to exposed '
'configurations',
'systems_affected': ['AutomationDirect MB-Gateway Devices (100+ '
'internet-exposed instances)']},
'investigation_status': 'Disclosed (vulnerability confirmed; no active '
'exploitation reported)',
'lessons_learned': 'Hardware limitations can render vulnerabilities '
'unpatchable, necessitating full device replacement. '
'Critical infrastructure devices require rigorous '
'authentication mechanisms to prevent remote exploitation.',
'post_incident_analysis': {'corrective_actions': ['Device replacement program '
'(EKI-1221-CE)',
'Network isolation '
'guidelines for legacy '
'systems'],
'root_causes': ['Missing authentication in '
'embedded web interface',
'Hardware limitations preventing '
'patch deployment',
'Internet exposure of critical '
'infrastructure devices']},
'recommendations': ['Replace vulnerable MB-Gateway devices with EKI-1221-CE '
'immediately',
'Isolate or remove internet-exposed industrial control '
'systems',
'Implement network segmentation for critical '
'infrastructure devices',
'Conduct regular vulnerability assessments for embedded '
'systems',
'Monitor dark web for exposed device configurations'],
'references': [{'source': 'SecurityWeek'},
{'source': 'CISA Advisory'},
{'source': 'Microsec Research (Souvik Kandar)'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA advisory '
'issued']},
'response': {'communication_strategy': ['Public disclosure via SecurityWeek',
'CISA advisory'],
'containment_measures': ['Replacement of vulnerable MB-Gateway '
'devices with EKI-1221-CE gateway'],
'third_party_assistance': ['Microsec (vulnerability discovery)',
'CISA (advisory)']},
'stakeholder_advisories': ['CISA alert for critical infrastructure operators'],
'title': 'Critical Authentication Vulnerability in AutomationDirect '
'MB-Gateway Devices (CVE-2025-36535)',
'type': ['Vulnerability Exploitation',
'Unauthenticated Access',
'Information Disclosure'],
'vulnerability_exploited': 'CVE-2025-36535 (Missing Authentication in '
'MB-Gateway Devices)'}