CVE-2025-62774 identifies a vulnerability in the Mercku M6a wireless device series up to firmware version 2.1.0, where the authentication mechanism generates session tokens based on predictable timestamps rather than using cryptographically secure random values. This represents an instance of CWE-331, insufficient entropy, which undermines the randomness required for secure session tokens. Predictable tokens can allow attackers to guess or reproduce valid session tokens, potentially hijacking sessions or gaining unauthorized access to authenticated services. The vulnerability has a CVSS 3.1 base score of 3.1, indicating low severity, primarily due to the attack vector being adjacent network (AV:A), high attack complexity (AC:H), no privileges required (PR:N), and no user interaction (UI:N). The impact is limited to confidentiality (C:L), with no integrity or availability effects. No known exploits have been reported in the wild, and no patches are currently available. The vulnerability's root cause is the use of timestamp-based token generation, which lacks sufficient entropy and can be predicted by attackers with network visibility or access. This flaw could be exploited in environments where attackers can observe or infer token generation timing, such as local networks or Wi-Fi environments. The absence of patches necessitates mitigation through network controls and monitoring until a vendor fix is released.

For European organizations, the primary impact is the potential compromise of session confidentiality on Mercku M6a devices, which could lead to unauthorized access to network resources or management interfaces. While the vulnerability does not affect integrity or availability, session hijacking could facilitate lateral movement or data exposure within corporate or critical infrastructure networks. Organizations relying on Mercku M6a devices for wireless connectivity in sensitive environments, such as government agencies, healthcare, or finance, may face increased risk if attackers can predict session tokens. The low CVSS score reflects the difficulty of exploitation and limited impact scope, but the threat is more significant in environments with high-value assets or where network segmentation is weak. The lack of known exploits reduces immediate risk, but the predictable nature of tokens means attackers with sufficient access could exploit this vulnerability. European entities should consider this vulnerability in their risk assessments, particularly where Mercku devices are deployed in perimeter or internal network segments.

1. Network Segmentation: Isolate Mercku M6a devices on separate VLANs or network segments to limit attacker access to the adjacent network required for exploitation. 2. Access Controls: Restrict management interface access to trusted IP addresses and use strong authentication methods where possible. 3. Monitoring and Logging: Implement enhanced monitoring of authentication events and session token usage to detect anomalies indicative of token prediction or session hijacking attempts. 4. Firmware Updates: Regularly check for vendor firmware updates addressing this vulnerability and apply patches promptly once available. 5. Use VPN or Encrypted Channels: Where feasible, encapsulate management traffic within VPN tunnels or encrypted channels to prevent token interception or prediction. 6. Vendor Engagement: Engage with Mercku support to obtain timelines for patches or recommended workarounds. 7. Token Regeneration Policies: If configurable, reduce session token lifetime or enforce token regeneration to limit window of exploitation. These measures go beyond generic advice by focusing on network architecture and operational controls tailored to the specific token predictability issue.