CVE-2025-66953 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the narda miteq Uplink Power Control Unit (UPC2) version 1.17. The vulnerability resides in the device's web-based management interface, specifically within endpoints like /system_setup.htm, /set_clock.htm, /receiver_setup.htm, /cal.htm, and /channel_setup.htm. An attacker can exploit this flaw remotely by tricking an authenticated user into submitting crafted requests, which the device processes without proper CSRF token validation. This leads to arbitrary code execution on the device, compromising its confidentiality, integrity, and availability. The CVSS 3.1 base score of 8.8 reflects the high impact and ease of exploitation, as no privileges are required and only user interaction is necessary. Although no public exploits have been reported yet, the vulnerability poses a significant threat to telecommunications infrastructure relying on this hardware. The lack of available patches increases the urgency for organizations to implement compensating controls. The CWE-352 classification confirms the root cause as insufficient CSRF protections in the web interface. This vulnerability could allow attackers to manipulate device configurations, disrupt uplink power control, and potentially cause widespread service outages or data leakage.

For European organizations, particularly those in telecommunications and critical infrastructure sectors, this vulnerability could lead to severe operational disruptions. Exploitation may allow attackers to alter uplink power settings, degrade network performance, or cause outages affecting large user bases. Confidential information managed by the device could be exposed or manipulated, undermining trust and regulatory compliance, especially under GDPR mandates. The integrity of network configurations could be compromised, enabling persistent unauthorized access or facilitating further attacks within the network. The availability of critical communication services could be impacted, affecting emergency services and business continuity. Given the device's role in uplink power control, the threat extends to any dependent systems and services, amplifying the potential damage. The absence of patches and the device's deployment in European telecom networks elevate the risk profile for affected organizations.

Organizations should immediately implement strict CSRF protections on the web management interface, including the use of anti-CSRF tokens and validating the origin of requests. Network segmentation should isolate the management interface from general user networks to reduce exposure. Access to the device's web interface must be restricted using strong authentication mechanisms and IP whitelisting where possible. Monitoring and logging of management interface access should be enhanced to detect suspicious activities promptly. If feasible, disable the web interface or restrict it to maintenance windows until a vendor patch is available. Employ web application firewalls (WAFs) to filter malicious requests targeting the vulnerable endpoints. Regularly review and update device firmware and configurations, and engage with the vendor for timely patch releases. Conduct user awareness training to prevent social engineering attacks that could trigger CSRF exploitation.