CVE-2025-64385 identifies a critical security vulnerability in the Circutor TCPRS1plus device, specifically version 1.0.14. The vulnerability arises from improper input validation (CWE-20) in the device's configuration process. The device can be configured initially through multiple interfaces, including Wi-Fi, a web server, and the manufacturer's software. The manufacturer's software allows configuration via UDP packets. Analysis reveals that the device accepts configuration changes over UDP based solely on the device's MAC address without requiring any authentication or user interaction. This means an attacker who can spoof the MAC address of a target device can send malicious UDP packets to alter any aspect of the device's initial configuration. The CVSS 4.0 vector indicates the attack can be performed remotely (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and no authentication (AT:N). The vulnerability impacts confidentiality minimally (VC:N), but has a high impact on availability (VA:H) and a low impact on integrity (VI:L), with scope limited to the vulnerable component (SI:L) and high security requirements (SA:H). This vulnerability could allow attackers to disrupt device operations, potentially causing denial of service or enabling further attacks by manipulating device settings. No patches or firmware updates are currently available, and no exploits have been reported in the wild. The vulnerability was published on October 31, 2025, and assigned by S21sec.

For European organizations, especially those in critical infrastructure sectors such as energy management, manufacturing, and industrial automation, this vulnerability poses a significant risk. Circutor devices like the TCPRS1plus are used for power monitoring and energy management, making them integral to operational stability. Unauthorized configuration changes could lead to device misbehavior, inaccurate data reporting, or complete denial of service, disrupting business operations and potentially causing safety hazards. The lack of authentication means attackers can remotely exploit this vulnerability without needing credentials or user interaction, increasing the risk of widespread attacks. Additionally, compromised devices could be leveraged as entry points for lateral movement within industrial networks, threatening broader organizational security. The impact on availability and integrity could lead to regulatory non-compliance and financial losses. Given the criticality of energy and industrial sectors in Europe, the threat is particularly concerning for organizations relying on Circutor devices for operational continuity.

1. Immediately implement network segmentation to isolate Circutor TCPRS1plus devices from general enterprise networks and restrict access to trusted management systems only. 2. Employ strict MAC address filtering on network switches and routers to prevent unauthorized devices from spoofing legitimate MAC addresses associated with TCPRS1plus devices. 3. Monitor UDP traffic directed at these devices for anomalous or unexpected configuration packets, using intrusion detection systems (IDS) or network behavior analysis tools. 4. Disable or restrict UDP-based configuration interfaces if possible until a vendor patch is available. 5. Engage with Circutor to obtain firmware updates or patches addressing this vulnerability and apply them promptly once released. 6. Conduct regular audits of device configurations to detect unauthorized changes early. 7. Implement strong physical security controls to prevent local network access that could facilitate MAC spoofing. 8. Educate operational technology (OT) and IT security teams about this vulnerability and the importance of monitoring and controlling device configuration channels.