CVE-2025-9964 identifies a critical security weakness in the Novakon P series device firmware version P – V2001.A.C518o2, where the root user account is configured without any password. This vulnerability falls under CWE-521, which relates to weak password requirements. The absence of a root password means that anyone with physical access to the device can directly access the console interface without any authentication barrier. This direct console access allows attackers to execute arbitrary commands with root privileges, potentially leading to full system compromise, data theft, or disruption of device operations. The vulnerability is rated with a CVSS 4.0 score of 8.6, indicating high severity, primarily due to the high impact on confidentiality, integrity, and availability, combined with low attack complexity and no need for authentication or user interaction. The attack vector is physical access, which limits remote exploitation but poses a significant risk in environments where devices are accessible to unauthorized personnel. No patches or fixes have been published yet, and no known exploits are currently in the wild. The vulnerability highlights a critical security oversight in the device’s default configuration, emphasizing the need for secure credential management and physical security controls.

For European organizations, this vulnerability poses a substantial risk, particularly in industrial, manufacturing, or critical infrastructure sectors where Novakon P series devices might be deployed. The lack of root password protection can lead to unauthorized physical access resulting in full control over the device. This can cause operational disruptions, data breaches, or sabotage of industrial processes. The impact is especially severe in environments where devices are located in less secure areas or where physical access controls are weak. Confidentiality is compromised as attackers can access sensitive configuration and operational data. Integrity is at risk since attackers can alter device settings or firmware. Availability can be affected if attackers disrupt device functionality. Given the high CVSS score and the nature of the vulnerability, European organizations must prioritize addressing this issue to prevent potential safety and operational hazards.

1. Immediately set strong, unique passwords for the root user on all affected Novakon P series devices. 2. Implement strict physical security controls to restrict unauthorized access to devices, including locked cabinets, surveillance, and access logging. 3. Conduct an inventory audit to identify all devices running the vulnerable firmware version. 4. Monitor device logs for any unauthorized access attempts or suspicious activity. 5. Engage with Novakon for firmware updates or patches addressing this vulnerability and apply them as soon as they become available. 6. Consider network segmentation to isolate vulnerable devices from critical network segments to limit potential lateral movement. 7. Train personnel on the importance of physical security and secure device configuration. 8. If possible, disable unused console ports or interfaces to reduce attack surface. 9. Establish incident response procedures specifically for physical security breaches involving these devices.