CVE-2025-63216 is a critical authentication bypass vulnerability affecting the Itel DAB Gateway (IDGat build c041640a) firmware. The root cause is improper validation of JSON Web Tokens (JWTs) across devices running the same firmware version. JWTs are typically used to authenticate users or devices by encoding claims and verifying signatures. However, in this case, the gateway firmware fails to bind JWT tokens to a specific device context or user session. Consequently, a valid JWT token obtained from one device can be reused by an attacker to authenticate on any other device running the same firmware, bypassing password and network authentication controls. This flaw effectively allows attackers to escalate privileges to administrative level on all vulnerable devices. The vulnerability is classified under CWE-287 (Improper Authentication) and CWE-384 (Session Fixation). The CVSS 3.1 base score is 10.0, reflecting network attack vector, no required privileges or user interaction, and complete compromise of confidentiality, integrity, and availability. No patches or updates have been released yet, and no public exploits are known. The vulnerability poses a severe risk to environments relying on these gateways for secure communications or device management, as attackers can fully control affected devices remotely.

For European organizations, this vulnerability presents a critical risk especially for sectors relying on Itel DAB Gateway devices for secure digital audio broadcasting or related communications infrastructure. Attackers exploiting this flaw can gain administrative control over multiple devices, potentially leading to interception or manipulation of sensitive communications, disruption of service, or lateral movement within networks. Critical infrastructure operators, media broadcasters, and enterprises using these gateways could face operational outages, data breaches, and reputational damage. The ability to bypass authentication without user interaction or privileges significantly lowers the barrier for exploitation, increasing the likelihood of attacks. Additionally, the shared JWT token reuse means a single compromised device can jeopardize the entire fleet of devices running the vulnerable firmware, amplifying the impact across organizations and sectors.

Given the absence of official patches, European organizations should immediately implement compensating controls. These include: 1) Isolating Itel DAB Gateway devices on dedicated network segments with strict access controls to limit exposure. 2) Monitoring network traffic for anomalous JWT token reuse patterns or unexpected administrative logins across devices. 3) Enforcing strong network-level authentication and VPN usage to restrict access to gateway management interfaces. 4) Disabling remote management features if not essential. 5) Coordinating with Itel for timely firmware updates or advisories. 6) Conducting thorough inventory and risk assessments to identify all affected devices. 7) Implementing multi-factor authentication at network access points to reduce risk of unauthorized access. 8) Preparing incident response plans specific to potential gateway compromise scenarios. These targeted measures go beyond generic advice by focusing on network segmentation, monitoring for token misuse, and reducing attack surface until patches are available.