CVE-2025-9965 is a critical improper authentication vulnerability (CWE-287) affecting the Novakon P series programmable logic controllers (PLCs), specifically version P – V2001.A.c518o2. This flaw allows unauthenticated attackers to upload and download any application code to and from the device without requiring any credentials or user interaction. The vulnerability arises from insufficient authentication controls on the device's application management interface, enabling remote attackers to fully manipulate the PLC's logic and firmware. Given the nature of PLCs in industrial control systems (ICS), this vulnerability could be exploited to alter operational processes, disrupt manufacturing workflows, or cause physical damage by modifying control logic. The CVSS 4.0 score of 9.3 (critical) reflects the high impact on confidentiality, integrity, and availability, with network attack vector, no required privileges, and no user interaction needed. Although no known exploits are currently reported in the wild, the ease of exploitation and the criticality of the affected systems make this a significant threat to industrial environments relying on Novakon P series devices.

For European organizations, especially those in manufacturing, utilities, and critical infrastructure sectors that utilize Novakon P series PLCs, this vulnerability poses a severe risk. Exploitation could lead to unauthorized control over industrial processes, resulting in operational downtime, safety hazards, and potential physical damage to equipment. The compromise of these devices could also lead to data exfiltration or sabotage, impacting supply chains and causing financial losses. Given the interconnected nature of industrial networks in Europe and the increasing adoption of Industry 4.0 technologies, the vulnerability could be leveraged for targeted attacks or as part of broader cyber-physical attack campaigns. The lack of authentication barriers means attackers can remotely access and manipulate devices without detection, increasing the risk of stealthy persistent threats.

Organizations should immediately inventory their industrial control systems to identify the presence of Novakon P series devices running version P – V2001.A.c518o2. Until a vendor patch is available, network segmentation should be enforced to isolate these PLCs from untrusted networks and restrict access to trusted personnel only. Implement strict firewall rules and intrusion detection systems tailored to monitor anomalous application upload/download activities on these devices. Employ network-level authentication proxies or VPNs to add an additional authentication layer. Regularly audit device configurations and logs for unauthorized access attempts. Engage with Novakon for any available firmware updates or workarounds and plan for timely patch deployment once released. Additionally, develop incident response plans specific to ICS environments to quickly address any exploitation attempts.