CVE-2025-52361 is a high-severity vulnerability found in the AK-Nord USB-Server-LXL Firmware version 0.0.16 (Build 2023-03-13). The issue arises from insecure permissions set on the /etc/init.d/lighttpd script. This script is executed with root privileges during every system boot and upon any interaction. Due to improper permission settings, a locally authenticated user with low privileges can modify this script. By editing the script, the attacker can execute arbitrary commands with root-level privileges, effectively escalating their access rights to full administrative control over the device. The vulnerability is classified under CWE-276, which relates to improper permissions. The CVSS v3.1 base score is 7.8, indicating a high severity, with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This means the attack requires local access with low privileges, no user interaction, and results in high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is critical because the device runs a network-facing service (lighttpd), and the ability to gain root privileges can lead to full device compromise, data theft, or disruption of service. Since the vulnerability requires local authentication, the attack surface is limited to insiders or users who have some access to the device, but the ease of privilege escalation makes it a serious threat to environments where multiple users have access or where the device is not physically secured.

For European organizations, this vulnerability poses a significant risk especially in environments where AK-Nord USB-Server-LXL devices are deployed. These devices likely serve as network-attached storage or USB sharing servers, potentially holding sensitive data or acting as critical infrastructure components. An attacker exploiting this vulnerability could gain root access, leading to full system compromise, data exfiltration, or disruption of services. This could impact confidentiality by exposing sensitive data, integrity by allowing unauthorized changes, and availability by enabling denial-of-service conditions. In sectors such as manufacturing, healthcare, or government institutions where such devices might be used, the impact could be severe. Additionally, the vulnerability could be leveraged as a foothold for lateral movement within a network, increasing the risk of broader compromise. Given the local access requirement, the threat is more acute in environments with multiple users or insufficient physical and logical access controls. The lack of patches also increases the window of exposure for affected organizations.

To mitigate this vulnerability, organizations should immediately audit all AK-Nord USB-Server-LXL devices to identify affected firmware versions. Until a patch is available, restrict local access to these devices to trusted administrators only, enforcing strict physical security controls to prevent unauthorized access. Implement monitoring and alerting for any changes to the /etc/init.d/lighttpd script or unusual process executions related to lighttpd. Consider isolating these devices on segmented network zones with limited access to reduce the risk of lateral movement. If possible, disable or restrict the lighttpd service if it is not essential. Regularly review user accounts and permissions on these devices to ensure no unnecessary accounts exist. Engage with the vendor for firmware updates or patches and apply them promptly once available. Additionally, consider deploying host-based intrusion detection systems (HIDS) on these devices to detect unauthorized modifications. Finally, incorporate this vulnerability into incident response plans to ensure rapid containment if exploitation is detected.