CVE-2025-9964 identifies a critical security weakness in the Novakon P series devices (models P07, P10, P12, P15) where the root user account lacks any password protection. This vulnerability stems from weak password requirements classified under CWE-521, effectively leaving the root account open and accessible without authentication. The affected firmware versions range from P – V2001.A.C518o2 through P-2.0.05 Build 2026.02.06. Because the root account is unprotected, any attacker with physical access to the device's console can gain full administrative control, bypassing all security controls. The vulnerability has a CVSS 4.0 base score of 8.6, reflecting its high impact on confidentiality, integrity, and availability, with low attack complexity since no authentication or user interaction is required. The attack vector is physical access, which limits remote exploitation but poses a serious risk in environments where devices are accessible to unauthorized personnel. No patches or mitigations have been officially released yet, and no known exploits have been observed in the wild. This vulnerability is particularly concerning for industrial control systems, embedded devices, or critical infrastructure environments where Novakon P series devices are deployed, as attackers could manipulate device operations, disrupt services, or exfiltrate sensitive data.

The vulnerability allows an attacker with physical access to gain unrestricted root access to affected Novakon P series devices. This compromises the confidentiality of any sensitive data stored or processed by the device, including configuration and operational data. Integrity is at risk as attackers can modify system settings, firmware, or operational parameters, potentially causing malfunction or sabotage. Availability can be disrupted by attackers who may disable or alter device functions, leading to downtime or safety hazards in industrial or critical infrastructure contexts. The lack of password protection means that even a low-skilled attacker can exploit this vulnerability easily once physical access is obtained. Organizations relying on these devices for operational technology (OT) or embedded control systems face increased risk of insider threats, physical tampering, or supply chain attacks. The absence of known exploits in the wild suggests limited current exploitation but also indicates a window of opportunity for attackers before patches are available.

1. Immediately enforce strict physical security controls around all Novakon P series devices to prevent unauthorized physical access, including locked enclosures, surveillance, and access logging. 2. Where possible, restrict console access ports or disable unused physical interfaces to reduce attack surface. 3. Monitor device logs and network traffic for unusual activity that may indicate tampering or unauthorized access attempts. 4. Engage with Novakon support or vendor channels to obtain firmware updates or patches addressing this vulnerability as soon as they become available. 5. Implement network segmentation to isolate vulnerable devices from critical networks, limiting the impact of potential compromise. 6. Consider deploying compensating controls such as hardware security modules or external authentication gateways if supported by the device. 7. Conduct regular security audits and physical inspections of devices to detect signs of tampering. 8. Develop incident response plans specifically addressing physical compromise scenarios for these devices. 9. Educate personnel on the risks of physical access vulnerabilities and enforce strict access policies. 10. If feasible, replace affected devices with versions or models that enforce strong password policies and authentication.