CVE-2025-64386 is a vulnerability classified under CWE-613 (Insufficient Session Expiration) affecting Circutor's TCPRS1plus device, specifically version 1.0.14. The device uses JSON Web Tokens (JWT) to manage session authentication for its web server interface. However, the session management implementation is flawed: the server allows reuse of previously issued JWT tokens even while a legitimate session is active. This means that if an attacker obtains a valid JWT token—potentially through interception or other means—they can hijack the session without the legitimate user being aware. The attacker can then modify security-related parameters or access sensitive functions on the device. The vulnerability has a CVSS 4.0 base score of 7.7, indicating high severity. The vector metrics show the attack is network-based (AV:N), requires high attack complexity (AC:H), no privileges (PR:N), no authentication (AT:N), but requires user interaction (UI:P). The impact on confidentiality, integrity, and availability is high (VC:H, VI:H, VA:H). No patches or exploits are currently publicly available, but the risk remains significant due to the critical nature of the device's role in energy management and industrial environments. The root cause is the failure to properly expire or revoke JWT tokens, allowing session fixation or replay attacks. This undermines the trust model of the authentication mechanism and can lead to unauthorized control or data manipulation.

For European organizations, especially those involved in energy management, industrial automation, or critical infrastructure, this vulnerability poses a substantial risk. Unauthorized session hijacking can lead to unauthorized changes in device configuration, disruption of energy monitoring or control functions, and potential data breaches. This can compromise operational integrity and availability, potentially causing service outages or safety hazards. The ability to modify security parameters without detection increases the risk of persistent unauthorized access and lateral movement within networks. Given the strategic importance of energy infrastructure in Europe, exploitation could have cascading effects on national grids or industrial processes. The lack of authentication requirements and the network attack vector make it easier for remote attackers to exploit the vulnerability if they can obtain or intercept a token. Although no known exploits are reported, the high impact and ease of exploitation warrant immediate attention to prevent future attacks.

1. Circutor should release a firmware update that enforces strict session expiration policies, ensuring JWT tokens are invalidated immediately upon session termination or after a short timeout period. 2. Implement token revocation mechanisms to invalidate tokens once a new session is established or upon logout. 3. Employ secure transmission protocols (e.g., TLS) to protect JWT tokens from interception. 4. Monitor web server logs and network traffic for signs of token reuse or anomalous session activity indicative of hijacking attempts. 5. Segment the network to isolate TCPRS1plus devices from general user networks, limiting exposure to potential attackers. 6. Use multi-factor authentication if supported to reduce reliance on JWT tokens alone. 7. Educate users about phishing and social engineering risks that could lead to token theft. 8. If immediate patching is not possible, consider disabling remote web access or restricting it via VPN or IP whitelisting. 9. Conduct regular security audits and penetration tests focusing on session management controls. 10. Collaborate with Circutor support to obtain guidance on interim mitigations and updates.