CVE-2025-62772 is a vulnerability classified under CWE-305 (Authentication Bypass by Primary Weakness) affecting Mercku M6a devices running firmware versions through 2.1.0. The core issue is that session tokens issued by the device remain valid for an unusually long duration, in some cases lasting several months. This extended validity period means that if an attacker obtains a session token, they can bypass normal authentication mechanisms and gain unauthorized access to the device or its management interface without needing to re-authenticate. The vulnerability does not directly impact confidentiality or availability but can affect integrity by allowing unauthorized changes or configurations. The CVSS v3.1 score is 3.1, reflecting low severity due to the high attack complexity (remote attacker with no privileges but requiring specific conditions), no user interaction, and no direct confidentiality or availability impact. No public exploits have been reported, and no patches are currently available, so the vulnerability remains unmitigated at the device firmware level. The issue highlights a design weakness in session management, where token expiration policies are insufficiently strict, increasing the window of opportunity for attackers who manage to capture or guess valid tokens. This vulnerability is particularly relevant for environments where Mercku M6a devices are used for network access or management, as unauthorized access could lead to configuration tampering or lateral movement within the network.

For European organizations, the primary impact of CVE-2025-62772 lies in the potential unauthorized access to Mercku M6a devices due to long-lived session tokens. This could allow attackers to bypass authentication controls and modify device settings, potentially undermining network integrity and security posture. While the vulnerability does not directly compromise confidentiality or availability, unauthorized configuration changes could lead to degraded network performance or exposure to further attacks. Organizations relying on these devices for critical network infrastructure or remote access may face increased risk of lateral movement by attackers. The low CVSS score suggests limited immediate risk, but the persistence of valid tokens over months increases the attack window, especially in environments with weak monitoring or token management. European entities with Mercku devices deployed in sensitive or high-security contexts should consider this vulnerability a moderate operational risk. The lack of known exploits reduces urgency but does not eliminate the threat, as attackers could develop methods to capture tokens through other means such as network sniffing or social engineering.

1. Monitor Mercku’s official communications for firmware updates addressing this vulnerability and apply patches promptly once available. 2. Implement network segmentation to isolate Mercku M6a devices from critical systems, limiting the impact of potential unauthorized access. 3. Enforce strict access controls and logging on device management interfaces to detect unusual login patterns or token reuse. 4. Use VPNs or secure tunnels for remote management to reduce the risk of token interception. 5. Regularly rotate session tokens or force re-authentication by rebooting devices or restarting management services where possible. 6. Employ network intrusion detection systems (NIDS) to monitor for suspicious activity targeting Mercku devices. 7. Educate network administrators about the risks of long-lived session tokens and encourage vigilance in credential management. 8. Consider alternative devices or vendors with stronger session management policies for high-security environments.