PatchSiren cyber security CVE debrief
CVE-2025-36535 AutomationDirect CVE debrief
CVE-2025-36535 is a critical flaw in AutomationDirect MB-Gateway where the embedded webserver lacks authentication and access controls. According to CISA’s advisory published on 2025-05-20, remote users may gain unrestricted access and potentially change configuration, disrupt operations, or trigger more severe impact depending on the exposed functionality and environment.
- Vendor
- AutomationDirect
- Product
- MB-Gateway
- CVSS
- CRITICAL 10
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-05-20
- Original CVE updated
- 2025-05-20
- Advisory published
- 2025-05-20
- Advisory updated
- 2025-05-20
Who should care
Industrial control system operators, plant engineers, OT/ICS administrators, and security teams responsible for AutomationDirect MB-Gateway deployments should treat this as urgent. Any environment exposing the device to untrusted networks, especially the internet, is at elevated risk.
Technical summary
CISA’s advisory identifies the affected product as AutomationDirect MB-Gateway: vers:all/*, indicating all versions are affected in the advisory scope. The core issue is an embedded webserver that does not enforce authentication or access control, so a remote attacker can interact with exposed management functionality without credentials. The advisory warns this can result in configuration changes, operational disruption, or arbitrary code execution depending on how the device is deployed and what functions are reachable.
Defensive priority
Immediate. This is a network-reachable, unauthenticated management exposure with a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Prioritize isolation, exposure reduction, and replacement planning over routine patching, because the vendor notes the hardware limitation prevents a proper access-control update.
Recommended defensive actions
- Replace MB-Gateway with AutomationDirect EKI-1221-CE as recommended by the vendor.
- Ensure affected devices are not accessible from the internet or untrusted networks; place them behind firewalls.
- Use dedicated secure internal networks or air-gapped systems for communication with programmable devices.
- Restrict physical and logical access to authorized personnel only.
- Implement application whitelisting to allow only pre-approved and trusted access.
- Enable logging and monitoring of system activity and regularly review logs for suspicious behavior.
- Maintain secure backups of workstations and configurations, and test recovery procedures.
- Begin evaluating and migrating to supported hardware with active vendor support.
Evidence notes
This debrief is based on CISA advisory ICSA-25-140-09 and the associated CSAF source item for CVE-2025-36535. The advisory explicitly states the embedded webserver lacks authentication and access controls, and it lists the affected product as AutomationDirect MB-Gateway: vers:all/*. The vendor remediation guidance in the source corpus recommends replacement with EKI-1221-CE and interim exposure-reduction measures. No CISA KEV entry was provided in the supplied data.
Official resources
-
CVE-2025-36535 CVE record
CVE.org
-
CVE-2025-36535 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory and the CVE record on 2025-05-20T06:00:00.000Z. The source advisory revision history in the supplied corpus shows initial publication on the same date.