CVE-2025-5310

9.8 CRITICAL

Remote Code Execution Authentication Bypass

📋 TL;DR

Dover Fueling Solutions ProGauge MagLink LX Consoles expose an undocumented, unauthenticated target communication framework (TCF) interface on a specific port, allowing attackers to create, delete, or modify files remotely. This vulnerability can lead to remote code execution with critical impact. Organizations using these fuel management consoles in industrial control systems are affected.

💻 Affected Systems

Products:

• Dover Fueling Solutions ProGauge MagLink LX Consoles

Versions: All versions prior to patched release (specific version information not provided in references)

Operating Systems: Embedded/Proprietary OS on MagLink LX consoles

Default Config Vulnerable: ⚠️ Yes

Notes: The TCF interface is undocumented and enabled by default on affected consoles.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

1. Review the CVE details at NVD
2. Check vendor security advisories for your specific version
3. Test if the vulnerability is exploitable in your environment
4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary code, disrupt fuel operations, manipulate fueling data, or pivot to other industrial systems.

🟠

Likely Case

Unauthorized file manipulation leading to service disruption, data corruption, or installation of malware for persistence.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to the vulnerable interface.

🌐 Internet-Facing: HIGH - The unauthenticated interface on a specific port can be directly accessed from the internet if exposed.

🏢 Internal Only: HIGH - Even internally, the lack of authentication allows any network-connected attacker to exploit the vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and allows direct file manipulation, making exploitation straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Specific version not provided in references - consult vendor advisory

Vendor Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-25-168-05

Restart Required: Yes

Instructions:

1. Contact Dover Fueling Solutions for patch availability 2. Apply vendor-provided firmware update 3. Restart affected consoles 4. Verify patch application

🔧 Temporary Workarounds

Network Segmentation and Firewall Rules

all

Block access to the TCF interface port using network firewalls and segment affected consoles from untrusted networks.

Access Control Lists

all

Implement strict network access controls to limit which systems can communicate with the vulnerable port.

🧯 If You Can't Patch

• Isolate affected consoles in a dedicated network segment with no internet access
• Implement strict firewall rules to block all traffic to the TCF interface port from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Copy

Check if ProGauge MagLink LX consoles are accessible on the TCF interface port (port number not specified in references) and respond to unauthenticated file manipulation requests.

Check Version:

Copy

Consult console management interface or vendor documentation for firmware version information

Verify Fix Applied:

Copy

Verify that the TCF interface no longer accepts unauthenticated connections or file operations after applying vendor patches.

📡 Detection & Monitoring

Log Indicators:

• Unauthorized connection attempts to TCF interface port
• Unexpected file creation/modification/deletion events on console

Network Indicators:

• Traffic to the TCF interface port from unauthorized sources
• Unusual file transfer patterns to/from console

SIEM Query:

Copy

source_ip OUTSIDE trusted_networks AND dest_port = [TCF_PORT] AND protocol = TCP

📊 Metadata

CVE ID: CVE-2025-5310

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

EPSS Score: 0.43% exploit probability (61.9th percentile)

Published: June 27, 2025

Last Updated: September 4, 2025

🔗 References

• https://ociocisa.sharepoint.com/teams/JCDC-ProductionOffice/Shared%20Documents/Forms/AllItems.aspx?OR=Teams%2DHL&CT=1736953471669&id=%2Fteams%2FJCDC%2DProductionOffice%2FShared%20Documents%2FPublications%2FICS%20Publishing%2F2025%20ICSAs%2FJUN%2017%2FVU%23285756%20%2D%20Dover%20Fueling%20Solutions%20ProGauge%20MAGLINK%20%2D%20Notice%20%28Draft%29%2Ehtml&viewid=243fd1ea%2Da122%2D4cc0%2Dbe91%2Dd0714ca46b87&parent=%2Fteams%2FJCDC%2DProductionOffice%2FShared%20Documents%2FPublications%2FICS%20Publishing%2F2025%20ICSAs%2FJUN%2017
• https://www.cisa.gov/news-events/ics-advisories/icsa-25-168-05

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5310, you might also want to check these:

CVE-2025-32433 10.0

This CVE describes a critical vulnerability in Erlang/OTP's SSH server that allows unauthenticated r...

Same vulnerability type (CWE-306)

CVE-2026-23693 10.0

The ElementsKit Lite WordPress plugin versions before 3.7.9 expose an unauthenticated REST endpoint ...

Same vulnerability type (CWE-306)

CVE-2025-58083 10.0

The General Industrial Controls Lynx+ Gateway has a critical authentication bypass vulnerability in ...

Same vulnerability type (CWE-306)