NervesHub is a web service designed to manage over-the-air firmware updates for devices deployed in the field. Versions 1.0.0 through 2.2.x of the nerves_hub_web component suffer from a critical security vulnerability (CVE-2025-64097) classified under CWE-330, which involves the use of insufficiently random values. Specifically, the API tokens issued to users were generated in a predictable format that incorporated user-identifiable information and lacked cryptographic randomness. This design flaw allowed attackers to perform brute-force or enumeration attacks against API tokens without needing prior authentication or user interaction. Successful exploitation could grant unauthorized access to user accounts and allow malicious API actions, potentially compromising the confidentiality and integrity of managed devices and their firmware updates. The vulnerability is rated critical with a CVSS 4.0 score of 9.5, reflecting its high impact and ease of exploitation over the network. The fix, introduced in version 2.3.0, replaces the token generation mechanism with one based on :crypto.strong_rand_bytes/1 to ensure cryptographically secure randomness. Additionally, tokens are now hashed before storage in the database, mitigating risks from database compromise, and token storage is context-aware to differentiate session tokens from API tokens, enhancing security controls. No practical workarounds exist other than upgrading; however, organizations can temporarily reduce risk by restricting network access to the NervesHub server via firewall rules until patching is completed. There are no known exploits in the wild at this time, but the critical nature of the flaw demands prompt remediation.

For European organizations, the impact of CVE-2025-64097 can be severe, especially those relying on NervesHub for managing firmware updates of IoT or embedded devices. Unauthorized access to API tokens could allow attackers to manipulate firmware deployments, potentially injecting malicious code or disrupting device operations. This compromises device integrity and availability, leading to operational disruptions, safety risks, and potential data breaches. Given the critical CVSS score and the fact that exploitation requires no authentication or user interaction, the threat surface is broad. Industries such as manufacturing, automotive, healthcare, and critical infrastructure that deploy embedded devices managed via NervesHub are particularly at risk. The ability to control firmware updates remotely means attackers could pivot to cause widespread damage or espionage. Additionally, regulatory compliance under GDPR and NIS Directive may be impacted if unauthorized access leads to personal data exposure or service outages. The lack of practical workarounds increases urgency for patching. Temporary firewalling can reduce exposure but may not be feasible in all operational environments. Overall, the vulnerability poses a high risk to the security posture and operational continuity of affected European entities.

The primary and most effective mitigation is to upgrade all instances of nerves_hub_web to version 2.3.0 or later, where the vulnerability is fully addressed. Organizations should implement a rapid patch management process to identify and update all affected deployments. In environments where immediate upgrading is not possible, network-level controls should be applied to restrict access to the NervesHub server, limiting exposure to trusted IP addresses and internal networks only. Monitoring and logging of API token usage should be enhanced to detect anomalous access patterns indicative of brute-force or enumeration attempts. Additionally, organizations should audit their token management policies and ensure tokens are rotated regularly. Post-upgrade, verify that token storage uses hashing as per the fix to protect against database compromise. Conduct security assessments of the OTA update process to confirm no residual weaknesses remain. Finally, educate operational teams about the risks of token compromise and enforce strict access controls around the NervesHub management interfaces.