CVE-2025-9964 is a high-severity vulnerability identified in the Novakon P series industrial control devices, specifically version P – V2001.A.C518o2. The core issue is the absence of a password set for the root user account, effectively allowing anyone with physical access to the device to gain unrestricted console access. This vulnerability is classified under CWE-521, which pertains to weak or missing password requirements. Since the root account typically has full administrative privileges, an attacker can manipulate device configurations, disrupt operations, or pivot to other parts of the network. The CVSS 4.0 score of 8.6 reflects the critical nature of this vulnerability, with a vector indicating physical attack vector (AV:P), low attack complexity (AC:L), no privileges or user interaction required (PR:N/UI:N), and high impact on confidentiality, integrity, and availability (VC:H/VI:H/VA:H). Although no known exploits are currently reported in the wild, the vulnerability’s nature makes it a significant risk in environments where physical security is not strictly enforced. The lack of a password on the root account is a fundamental security oversight, especially for industrial control systems that often operate critical infrastructure or manufacturing processes. This vulnerability could be exploited by insiders or intruders who gain physical access, potentially leading to operational disruptions, data manipulation, or safety hazards.

For European organizations, especially those operating in critical infrastructure sectors such as energy, manufacturing, transportation, and utilities, this vulnerability poses a substantial risk. Industrial control systems like the Novakon P series are often integral to operational technology (OT) environments. Unauthorized root access could lead to sabotage, production downtime, or safety incidents, which in turn could have cascading effects on supply chains and public safety. Given the high impact on confidentiality, integrity, and availability, attackers could manipulate device settings, disable safety mechanisms, or exfiltrate sensitive operational data. The physical access requirement somewhat limits remote exploitation, but insider threats or inadequate physical security controls could facilitate attacks. Additionally, compliance with European regulations such as NIS2 Directive and GDPR could be jeopardized if this vulnerability leads to data breaches or service disruptions. The reputational and financial consequences for affected organizations could be severe, including regulatory fines and loss of customer trust.

To mitigate this vulnerability, European organizations should immediately verify the firmware version of their Novakon P series devices and confirm whether the root password is set. If the affected version (P – V2001.A.C518o2) is in use, organizations should implement the following specific measures: 1) Physically secure all devices to prevent unauthorized access, including locked cabinets and restricted access areas. 2) Manually set a strong, complex password for the root account if the device allows it, or apply any available vendor patches or firmware updates once released. 3) Implement strict access control policies and monitor physical access logs to detect unauthorized entry attempts. 4) Employ network segmentation to isolate these devices from broader IT networks, limiting potential lateral movement. 5) Conduct regular security audits and penetration tests focusing on physical security and device configurations. 6) Engage with Novakon support to request official patches or guidance and monitor for any future advisories. 7) Train personnel on the importance of physical security and the risks associated with this vulnerability. These targeted actions go beyond generic advice by focusing on the unique combination of physical access and device-specific configuration weaknesses.