SecurityWeek reports that organizations, particularly those in critical infrastructure sectors, could be remotely compromised through the exploitation of a trio of flaws impacting Microsens' NMP Web+ offering, which allows management of industrial switches and other network equipment.
Threat actors with access to web servers linked to vulnerable Microsens NMP Web+ instances could leverage the critical authentication bypass vulnerability, tracked as CVE-2025-49151, and the critical arbitrary code execution issue, tracked as CVE-2025-49153, alongside a high-severity bug involving the non-expiring nature of JSON Web Tokens, to procure valid authentication tokens and facilitate critical file overwriting for eventual OS-level system hijacking, according to Claroty Team82 researcher Noam Moshe. "These two vulnerabilities together allow an attacker to jump 'from zero to hero', meaning gaining full control over the system without needing to have any prior knowledge/credentials to the server," said Moshe. Such vulnerabilities have also been included in an advisory from the Cybersecurity and Infrastructure Security Agency, which urged immediate patching despite the absence of active exploitation.
Threat actors with access to web servers linked to vulnerable Microsens NMP Web+ instances could leverage the critical authentication bypass vulnerability, tracked as CVE-2025-49151, and the critical arbitrary code execution issue, tracked as CVE-2025-49153, alongside a high-severity bug involving the non-expiring nature of JSON Web Tokens, to procure valid authentication tokens and facilitate critical file overwriting for eventual OS-level system hijacking, according to Claroty Team82 researcher Noam Moshe. "These two vulnerabilities together allow an attacker to jump 'from zero to hero', meaning gaining full control over the system without needing to have any prior knowledge/credentials to the server," said Moshe. Such vulnerabilities have also been included in an advisory from the Cybersecurity and Infrastructure Security Agency, which urged immediate patching despite the absence of active exploitation.
