CVE-2025-36729 is a high-severity vulnerability affecting RACOM's M!DGE2 device, specifically version 4.0. The issue stems from improper privilege management (CWE-269) within the device's web interface. A non-primary administrator user, who possesses administrative rights to the web interface but lacks shell access permissions, can exploit this vulnerability to view the device's configuration, including the master administrator password. Furthermore, this flaw allows the attacker to escalate their privileges by granting themselves shell access with root group ID (gid) privileges. This effectively bypasses intended access controls, enabling full control over the device's operating environment. The vulnerability has a CVSS v3.1 base score of 7.2, reflecting its high impact on confidentiality, integrity, and availability. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), but does require privileges (PR:H) and no user interaction (UI:N). The scope remains unchanged (S:U). Although no known exploits are currently reported in the wild, the vulnerability's nature suggests that an insider or compromised admin-level user could leverage it to gain complete control over the device, potentially leading to unauthorized configuration changes, data exfiltration, or disruption of network services relying on the device. The lack of available patches at the time of publication increases the urgency for mitigation and monitoring.

For European organizations, especially those relying on RACOM M!DGE2 devices for critical communications infrastructure, this vulnerability poses significant risks. The ability for a non-primary admin to escalate privileges and access root-level shell access can lead to full device compromise. This could result in unauthorized disclosure of sensitive configuration data, including master passwords, leading to lateral movement within networks. The integrity of network operations could be compromised by unauthorized configuration changes, potentially disrupting services or enabling persistent backdoors. Availability may also be affected if attackers disable or manipulate device functions. Given that RACOM devices are often used in industrial, utility, and telecommunications sectors, the impact could extend to critical infrastructure, affecting operational continuity and regulatory compliance under frameworks like NIS2. The vulnerability's exploitation could also undermine trust in managed network services and expose organizations to regulatory penalties under GDPR if personal data is compromised.

Organizations should immediately audit access controls on RACOM M!DGE2 devices, ensuring that only fully trusted personnel have administrative web interface access. Segmentation of management interfaces from general network access is critical to reduce exposure. Since no patches are currently available, consider implementing compensating controls such as network-level restrictions (firewalls, ACLs) to limit access to the device's web interface to trusted management networks. Regularly monitor device logs for unusual access patterns or privilege escalations. Employ multi-factor authentication for administrative access where supported. Additionally, prepare for rapid deployment of vendor patches once released by establishing a vulnerability management process that prioritizes this device. If feasible, consider temporary replacement or isolation of vulnerable devices in critical environments until remediation is available. Finally, conduct security awareness training for administrators to recognize and report suspicious activities related to device management.