CVE-2025-9963 is a path traversal vulnerability classified under CWE-22 affecting Novakon P series devices, specifically models P07, P10, P12, and P15. The flaw stems from insufficient validation and restriction of pathname inputs, allowing an attacker with local access to traverse directories beyond intended boundaries. This enables exposure of the root filesystem ("/") and unauthorized modification of any file with root-level permissions. The vulnerability affects firmware versions from P – V2001.A.c518o2 through P-2.0.05 Build 2026.02.06. The attack vector is local (AV:L), requiring no authentication (PR:N) or user interaction (UI:N), but the vulnerability has high complexity and scope, affecting confidentiality, integrity, and availability at a high level (VC:H, VI:H, VA:H). The vulnerability's critical CVSS score of 9.4 reflects the severe risk of full system compromise, including potential persistent control over the device. While no public exploits are known, the severity and ease of exploitation without authentication make this a significant threat to affected systems. The vulnerability was reserved and published in September 2025, with no patches currently linked, indicating an urgent need for vendor remediation and interim mitigations.

The impact of CVE-2025-9963 is severe for organizations deploying Novakon P series devices, as exploitation allows attackers to gain root-level access to the entire filesystem. This can lead to complete system compromise, including unauthorized data disclosure, modification or deletion of critical files, installation of persistent malware, and disruption of device functionality. Given the root-level access, attackers could pivot to other networked systems, escalate privileges, or disrupt operational technology environments relying on these devices. The vulnerability's local attack vector limits remote exploitation but does not eliminate risk in environments where local access is possible, such as internal networks, maintenance personnel, or compromised endpoints. The absence of required authentication and user interaction lowers the barrier for exploitation once local access is obtained. Organizations may face operational downtime, data breaches, and loss of trust if exploited. The lack of known exploits in the wild currently reduces immediate risk but does not preclude future attacks, especially given the critical severity.

To mitigate CVE-2025-9963, organizations should implement the following specific measures: 1) Restrict physical and local network access to Novakon P series devices to trusted personnel only, employing network segmentation and access control lists to limit exposure. 2) Monitor and audit local access logs for suspicious activity indicative of exploitation attempts. 3) Apply vendor patches immediately once released; until then, consider deploying host-based intrusion detection systems (HIDS) to detect unauthorized file modifications. 4) Employ application whitelisting and integrity verification tools on devices to detect and prevent unauthorized changes to critical files. 5) Disable or restrict unnecessary local services or interfaces that could be leveraged to gain local access. 6) Conduct regular security training for staff with local access to these devices to recognize and report suspicious behavior. 7) If feasible, implement mandatory access controls (MAC) or sandboxing to limit the impact of potential path traversal exploitation. 8) Engage with the vendor for timelines on patch availability and request interim mitigations or workarounds. These targeted actions go beyond generic advice by focusing on limiting local access, monitoring for exploitation, and preparing for patch deployment.