CVE-2025-9965 is an improper authentication vulnerability (CWE-287) identified in the Novakon P series programmable logic controllers (PLCs), specifically models P07, P10, P12, and P15. The affected firmware versions range from P – V2001.A.C518o2 through P-2.0.05 Build 2026.02.06. The vulnerability allows unauthenticated remote attackers to upload and download any application code to or from the device without requiring any credentials or user interaction. This means attackers can potentially replace legitimate control logic with malicious code or extract sensitive application data, compromising the device’s integrity and confidentiality. The CVSS 4.0 base score is 9.3 (critical), reflecting the ease of exploitation (network attack vector, no privileges or user interaction needed), and the high impact on confidentiality, integrity, and availability. The vulnerability has a low scope change but high impact severity on the device’s operation. No patches or exploits in the wild are currently reported, but the risk is significant given the critical role of these devices in industrial control systems. The vulnerability stems from improper authentication mechanisms that fail to restrict access to application upload/download functionality, a fundamental security flaw in industrial device firmware. This flaw could be leveraged to disrupt industrial processes, cause physical damage, or exfiltrate sensitive operational data.

The impact of CVE-2025-9965 is severe for organizations using Novakon P series PLCs in industrial automation, manufacturing, and critical infrastructure sectors. Successful exploitation allows attackers to fully control the device’s application logic, enabling sabotage of industrial processes, disruption of production lines, or physical damage to equipment. Confidentiality is compromised as attackers can download proprietary or sensitive application data. Integrity is critically affected since malicious applications can be uploaded, altering device behavior. Availability is also at risk due to potential device malfunctions or shutdowns caused by unauthorized code. The lack of authentication means attackers can exploit this vulnerability remotely without prior access, increasing the attack surface. This could lead to operational downtime, financial losses, safety hazards, and reputational damage. Given the strategic importance of industrial control systems globally, this vulnerability poses a significant threat to sectors such as energy, manufacturing, transportation, and utilities.

1. Immediate mitigation should include network segmentation to isolate Novakon P series devices from untrusted networks and restrict access to management interfaces. 2. Implement strict firewall rules and access control lists (ACLs) to limit communication to authorized personnel and systems only. 3. Monitor network traffic for unusual upload/download activity targeting these devices. 4. Disable any unnecessary remote management features until patches are available. 5. Regularly audit device firmware versions and configurations to identify vulnerable units. 6. Engage with Novakon for official patches or firmware updates addressing this vulnerability and apply them promptly once released. 7. Employ intrusion detection/prevention systems (IDS/IPS) tailored for industrial protocols to detect exploitation attempts. 8. Train operational technology (OT) staff to recognize signs of compromise and enforce strong physical security controls to prevent unauthorized local access. 9. Develop and test incident response plans specific to industrial control system breaches involving these devices. 10. Consider deploying application whitelisting or code signing mechanisms if supported by the devices to prevent unauthorized application uploads.