CVE-2025-52361 is a vulnerability identified in the AK-Nord USB-Server-LXL Firmware version 0.0.16 (build dated 2023-03-13). The issue stems from insecure file permissions set on the /etc/init.d/lighttpd script, which is executed with root privileges during system boot and upon any interaction with the device. Because the script is writable by low-privilege, locally authenticated users, an attacker with local access can modify this script to execute arbitrary commands with root privileges. This vulnerability is categorized under CWE-276 (Incorrect Default Permissions), indicating a failure to properly restrict access to critical system files. The CVSS v3.1 base score is 7.8, reflecting high severity due to the high impact on confidentiality, integrity, and availability, combined with relatively low attack complexity and privileges required. Exploitation does not require user interaction but does require local authentication, which limits remote exploitation but still poses a significant risk in environments where local access is possible. No patches or fixes have been published at the time of disclosure, and no known exploits have been observed in the wild. The vulnerability could allow attackers to fully compromise the device, potentially pivoting to other networked systems or disrupting critical services.

For European organizations, especially those deploying AK-Nord USB-Server-LXL devices in industrial, manufacturing, or critical infrastructure environments, this vulnerability presents a significant risk. Successful exploitation can lead to complete system compromise, allowing attackers to execute arbitrary commands as root, potentially leading to data theft, system manipulation, or denial of service. Given the device's role as a USB server, attackers could also use it as a foothold to move laterally within internal networks. The impact on confidentiality, integrity, and availability is high, which could disrupt business operations, cause data breaches, or impact safety-critical processes. Organizations with less stringent physical or local access controls are particularly vulnerable. The lack of available patches increases the urgency for interim mitigations. Additionally, regulatory compliance frameworks in Europe, such as GDPR and NIS Directive, may impose reporting obligations if this vulnerability leads to data breaches or service disruptions.

Immediate mitigation steps include auditing and restricting permissions on the /etc/init.d/lighttpd script to ensure it is writable only by root or trusted administrators. Organizations should implement strict local access controls to prevent unauthorized users from gaining authenticated local access to the device. Network segmentation should be employed to isolate the affected devices from sensitive or critical network segments, limiting potential lateral movement. Monitoring and logging local access attempts and changes to critical scripts can help detect exploitation attempts. If possible, disable or restrict unnecessary interactions with the device that trigger the script execution until a vendor patch is available. Engage with AK-Nord or device vendors to obtain firmware updates or patches addressing this vulnerability. Additionally, consider deploying host-based intrusion detection systems (HIDS) on these devices to alert on unauthorized file modifications. Finally, review and enforce strong authentication mechanisms for local access to reduce the risk of unauthorized exploitation.