CVE-2025-28238 is a critical vulnerability identified in the firmware version 5.5.1.R of the Elber REBLE310 series equipment, specifically models REBLE310, RX10, and 4ASI. The vulnerability stems from improper session management, classified under CWE-384, which relates to session fixation or hijacking issues. This flaw allows attackers to hijack active sessions without requiring any privileges or user interaction, exploiting the way the firmware handles session tokens or identifiers. Given the CVSS 3.1 base score of 9.8, the vulnerability is remotely exploitable over the network (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), with an impact on confidentiality, integrity, and availability rated as high (C:H/I:H/A:H). The session hijacking can enable attackers to impersonate legitimate users, potentially gaining unauthorized access to sensitive device functions, altering configurations, or disrupting operations. Although no known exploits are currently reported in the wild, the severity and ease of exploitation make this a significant threat. The lack of vendor or product information beyond the firmware and equipment models suggests this is a specialized industrial or network device, likely used in telecommunications or critical infrastructure contexts. The absence of available patches at the time of reporting further elevates the risk profile for affected organizations.

For European organizations, the impact of this vulnerability can be substantial, especially for entities relying on Elber REBLE310 series devices in their network infrastructure or industrial control systems. Successful exploitation could lead to unauthorized access to critical network equipment, enabling attackers to intercept or manipulate data flows, disrupt communications, or pivot to other internal systems. This could compromise confidentiality by exposing sensitive operational data, integrity by allowing unauthorized configuration changes, and availability by causing device malfunctions or denial of service. Sectors such as telecommunications, energy, manufacturing, and transportation, which often deploy such specialized equipment, are particularly at risk. The critical nature of the vulnerability means that exploitation could facilitate espionage, sabotage, or service disruption, impacting business continuity and regulatory compliance under frameworks like GDPR and NIS Directive.

Given the absence of official patches, European organizations should implement immediate compensating controls. These include isolating affected devices within segmented network zones with strict access controls and monitoring, employing network intrusion detection systems (NIDS) to identify anomalous session activities, and enforcing strong authentication mechanisms upstream to reduce the risk of session hijacking. Regularly auditing device configurations and logs for unauthorized access attempts is essential. Organizations should engage with the device vendor or authorized support channels to obtain firmware updates or security advisories. Additionally, deploying network-level protections such as VPNs with strong encryption and session management can mitigate exploitation risks. Where feasible, replacing vulnerable devices with updated or alternative solutions should be considered as a long-term strategy. Incident response plans should be updated to include detection and remediation steps for session hijacking scenarios.