CVE-2025-36535
📋 TL;DR
This critical vulnerability in an embedded web server allows unauthenticated remote attackers to access the device without any authentication. This affects industrial control systems and IoT devices using vulnerable embedded web servers, particularly in operational technology environments where these devices are deployed.
💻 Affected Systems
- AutomationDirect EKI-1221-CE Modbus Gateway
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise including arbitrary code execution, configuration changes leading to operational disruption, and potential lateral movement within industrial networks.
Likely Case
Unauthorized configuration changes, operational disruption, and potential data exfiltration from exposed systems.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external access to vulnerable systems.
🎯 Exploit Status
The vulnerability requires no authentication and can be exploited with simple HTTP requests to the web interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched version
Vendor Advisory: https://www.automationdirect.com/adc/shopping/catalog/communications/protocol_gateways/modbus_gateways/eki-1221-ce
Restart Required: Yes
Instructions:
1. Check vendor advisory for latest firmware. 2. Download patched firmware from vendor site. 3. Upload firmware to device via web interface. 4. Apply firmware update. 5. Reboot device to complete installation.
🔧 Temporary Workarounds
Network Segmentation
allIsolate vulnerable devices in separate network segments with strict firewall rules
Access Control Lists
allImplement network ACLs to restrict access to device web interface
🧯 If You Can't Patch
- Remove internet exposure and place behind firewall with strict access controls
- Implement network monitoring and intrusion detection for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Attempt to access the device web interface without authentication. If access is granted without login, the device is vulnerable.Check Version:
Check device web interface or console for firmware version informationVerify Fix Applied:
After patching, attempt to access web interface without authentication. Access should be denied and require proper credentials.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated access attempts to web interface
- Configuration changes without authentication logs
Network Indicators:
- HTTP requests to device web interface without authentication headers
- Unusual traffic patterns to industrial control devices
SIEM Query:
source="device_logs" AND (event="unauthenticated_access" OR event="configuration_change")