CVE-2025-63217 identifies a critical authentication bypass vulnerability in the Itel DAB MUX devices running the IDMUX firmware build c041640a. The root cause is improper validation of JWT tokens across devices, which are used for authentication. Normally, JWTs should be device-specific and bound to particular credentials or network contexts. However, in this case, a JWT token issued by one device can be reused on any other device running the same firmware, bypassing authentication controls entirely. This means that an attacker who obtains a valid JWT—potentially through legitimate access or interception—can authenticate as an administrator on any other vulnerable device without needing the correct password or network access. This flaw effectively breaks the isolation between devices and allows lateral movement and full administrative control. The vulnerability affects all devices running the specified firmware version, with no differentiation by network or password configuration. No patches or fixes have been published yet, and no exploits have been reported in the wild, but the vulnerability's nature suggests it could be exploited with minimal technical effort once a valid JWT is obtained. The lack of a CVSS score indicates the need for a severity assessment based on impact and exploitability factors. Given the administrative access granted, the vulnerability threatens confidentiality, integrity, and availability of affected devices, potentially leading to device manipulation, data leakage, or service disruption.

For European organizations, this vulnerability poses a significant risk, especially for those relying on Itel DAB MUX devices in critical communication or broadcasting infrastructure. Unauthorized administrative access could lead to full device compromise, enabling attackers to alter configurations, disrupt services, or pivot to other network segments. This could impact operational continuity, data confidentiality, and network integrity. Organizations in sectors such as telecommunications, media broadcasting, and public safety communications are particularly vulnerable. The ability to bypass authentication without needing passwords or network credentials increases the attack surface and lowers the barrier for exploitation. Additionally, the reuse of JWTs across devices undermines trust in the authentication mechanism, potentially affecting compliance with security standards and regulations. The absence of patches means organizations must rely on compensating controls to mitigate risk. The impact extends beyond individual devices to potentially affect entire networks or services dependent on these devices, leading to reputational damage and regulatory consequences under frameworks like GDPR if personal data is compromised.

1. Immediately implement network segmentation to isolate Itel DAB MUX devices from general enterprise networks and limit access to trusted administrators only. 2. Monitor network traffic for unusual JWT token usage patterns, such as tokens being used across multiple devices or IP addresses, which may indicate exploitation attempts. 3. Enforce strict access controls and multi-factor authentication on management interfaces where possible to reduce the risk of token theft. 4. Engage with the device vendor (Itel) to request urgent firmware updates or patches addressing the JWT validation flaw. 5. If possible, revoke or invalidate all existing JWT tokens and require re-authentication to minimize token reuse risk. 6. Conduct thorough audits of device logs to detect any unauthorized administrative access. 7. Consider deploying Web Application Firewalls (WAFs) or Intrusion Detection/Prevention Systems (IDS/IPS) with custom rules to detect and block suspicious authentication attempts. 8. Develop and test incident response plans specific to this vulnerability to ensure rapid containment if exploitation is detected. 9. Educate administrators about the risk of token reuse and the importance of safeguarding authentication tokens. 10. Plan for device replacement if patches are not forthcoming or if devices cannot be secured adequately.