Login Sign Up

CVE-2025-24865

10.0 CRITICAL
Authentication Bypass

📋 TL;DR

CVE-2025-24865 allows unauthenticated access to the mySCADA myPRO Manager administrative web interface. Attackers can retrieve sensitive information and upload files without credentials. This affects all deployments of mySCADA myPRO Manager with the vulnerable configuration.

💻 Affected Systems

Products:
  • mySCADA myPRO Manager
Versions: All versions prior to patched release
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects default installations where the administrative interface is enabled and accessible.

📦 What is this software?

Mypro by Myscada

View all CVEs affecting Mypro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of SCADA/ICS systems allowing unauthorized file uploads, configuration changes, and potential disruption of industrial operations.

🟠

Likely Case

Unauthorized access to sensitive operational data, configuration files, and potential malware deployment through file uploads.

🟢

If Mitigated

Limited impact if network segmentation prevents external access and proper authentication controls are implemented.

🌐 Internet-Facing: HIGH - Directly accessible without authentication, allowing remote exploitation.
🏢 Internal Only: HIGH - Even internal attackers or compromised internal systems can exploit this without credentials.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Direct web access without authentication makes exploitation trivial for anyone with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific version

Vendor Advisory: https://www.myscada.org/contacts/

Restart Required: Yes

Instructions:

1. Contact mySCADA for patched version
2. Download updated myPRO Manager
3. Install update following vendor instructions
4. Restart the service/application

🔧 Temporary Workarounds

Network Segmentation

all

Isolate myPRO Manager from untrusted networks

Configure firewall rules to restrict access to trusted IPs only

Authentication Enforcement

all

Implement external authentication proxy

Set up reverse proxy with authentication (e.g., nginx with auth)

🧯 If You Can't Patch

  • Implement strict network access controls allowing only trusted IP addresses
  • Deploy web application firewall with authentication enforcement rules

🔍 How to Verify

Check if Vulnerable:

Attempt to access the myPRO Manager administrative web interface without credentials. If accessible, system is vulnerable.

Check Version:

Check application version in interface or consult vendor documentation

Verify Fix Applied:

Verify authentication is required for all administrative interface access after patch installation.

📡 Detection & Monitoring

Log Indicators:

  • Unauthenticated access attempts to administrative endpoints
  • File uploads from unauthenticated sources

Network Indicators:

  • HTTP requests to administrative paths without authentication headers
  • Unusual file upload traffic

SIEM Query:

source_ip NOT IN trusted_ips AND (url_path CONTAINS '/admin' OR url_path CONTAINS '/manager') AND auth_status = 'none'

📊 Metadata

CVE ID: CVE-2025-24865
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-306
EPSS Score: 64.09% exploit probability (98.4th percentile)
Published: February 13, 2025
Last Updated: March 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24865, you might also want to check these:

CVE-2025-32433 10.0

This CVE describes a critical vulnerability in Erlang/OTP's SSH server that allows unauthenticated r...

Same vulnerability type (CWE-306)
CVE-2026-23693 10.0

The ElementsKit Lite WordPress plugin versions before 3.7.9 expose an unauthenticated REST endpoint ...

Same vulnerability type (CWE-306)
CVE-2025-58083 10.0

The General Industrial Controls Lynx+ Gateway has a critical authentication bypass vulnerability in ...

Same vulnerability type (CWE-306)