CVE-2025-62772 identifies a security vulnerability in Mercku M6a networking devices running firmware versions up to 2.1.0. The core issue is a primary weakness in authentication (CWE-305), where session tokens issued by the device remain valid for extended periods—potentially months—without expiration or revocation. This prolonged validity allows an attacker with access to the network to reuse these tokens to bypass authentication mechanisms and gain unauthorized access to device management interfaces or network resources. The vulnerability does not directly impact confidentiality or availability but poses an integrity risk by enabling unauthorized actions under a legitimate session context. The CVSS 3.1 vector (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) indicates that exploitation requires adjacent network access and is complex, with no privileges or user interaction needed. No patches or exploits are currently reported, but the issue highlights a design flaw in session management that could be exploited if tokens are intercepted or leaked. This vulnerability underscores the importance of secure session lifecycle management in network devices to prevent authentication bypass scenarios.

For European organizations, this vulnerability could lead to unauthorized access to network devices or management interfaces if session tokens are compromised. While the direct impact on confidentiality and availability is minimal, the integrity of network operations could be affected if attackers manipulate device configurations or network traffic. Organizations in sectors with high reliance on Mercku M6a devices—such as small to medium enterprises, ISPs, or critical infrastructure providers—may face increased risk. The long token validity period increases the window of opportunity for attackers to exploit stolen tokens, especially in environments where network segmentation or monitoring is weak. This could facilitate lateral movement or persistent unauthorized access within corporate networks. However, the high attack complexity and requirement for adjacent network access limit the scope of exploitation to attackers with some level of network presence.

1. Monitor Mercku’s official channels for firmware updates addressing this vulnerability and apply patches promptly once available. 2. Implement network segmentation to restrict access to Mercku M6a management interfaces, limiting exposure to adjacent network attackers. 3. Enforce strict session management policies, including manual invalidation of sessions and reducing session token lifetimes where configurable. 4. Deploy network intrusion detection systems to identify anomalous reuse of session tokens or unusual access patterns to device management interfaces. 5. Educate network administrators on the risks of long-lived session tokens and encourage regular credential and session audits. 6. Where possible, replace or supplement vulnerable devices with alternatives that implement robust session expiration and token management. 7. Use VPNs or secure tunnels for device management to add an additional layer of authentication and encryption.