Critical Vulnerabilities in MICROSENS NMP Web+ Expose Industrial Control Systems to Remote Attacks

Multiple severe security flaws in MICROSENS' NMP Web+ software could allow unauthenticated attackers to gain complete control of industrial network equipment, potentially disrupting critical infrastructure. The vulnerabilities, one of which has a CVSS score of 9.3, could enable remote code execution and authentication bypass. MICROSENS has released a patch, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to update their systems immediately.

The affected product, MICROSENS NMP Web+, is a network management platform used to monitor, configure, and control industrial switches and other network devices manufactured by the German company. These components are deployed worldwide in various sectors, including critical manufacturing.

Trio of Flaws Poses Significant Threat

Security researchers have identified three key vulnerabilities in the NMP Web+ software:

  • Authentication Bypass (CVE-2025-49151): A critical flaw allows unauthenticated attackers to generate forged JSON Web Tokens (JWTs). This enables them to bypass authentication mechanisms and gain unauthorized access to the system. The vulnerability stems from the use of hard-coded security constants.
  • Path Traversal and Arbitrary Code Execution (CVE-2025-49153): Another critical vulnerability, this flaw allows an attacker to overwrite files and execute arbitrary code on the server. This path traversal vulnerability can be exploited by an unauthenticated attacker, leading to full system compromise.
  • Insufficient Session Expiration (CVE-2025-49152): A high-severity flaw was discovered where the JWTs used for session management do not expire. This means that if a token is compromised, an attacker could potentially maintain unauthorized access indefinitely.

Noam Moshe, a vulnerability researcher at Claroty's Team82 who discovered the flaws, explained that these vulnerabilities can be chained together. An attacker could first exploit the authentication bypass to obtain a valid token and then use the path traversal vulnerability to overwrite critical files, ultimately gaining complete control over the system at the operating system level. Moshe described this as a "from zero to hero" attack, where an attacker with no prior access or credentials can achieve full system control.

CISA Advisory and Mitigation Steps

CISA has issued an advisory detailing these vulnerabilities and their potential impact. While CISA is not currently aware of any active exploitation of these flaws, the agency emphasizes the urgency of applying the available patch.

MICROSENS has released version 3.3.0 of the NMP Web+ software for both Windows and Linux to address these vulnerabilities.

In addition to updating the software, CISA recommends the following defensive measures to minimize the risk of exploitation:

  • Minimize network exposure: Ensure that control system devices and systems are not accessible from the internet.
  • Network segmentation: Locate control system networks and remote devices behind firewalls and isolate them from business networks.
  • Secure remote access: Implement robust security measures for any remote access to the network.
  • Defense-in-depth strategies: Employ multiple layers of security controls to protect critical systems.
  • Team education: Ensure that technical staff are aware of these vulnerabilities and the necessary remediation steps.

The discovery of these critical vulnerabilities underscores the ongoing security challenges facing industrial control systems and the importance of proactive vulnerability management and adherence to security best practices to protect critical infrastructure from cyber threats.