CVE-2025-49152 MICROSENS CVE debrief

Who should care

Organizations running MICROSENS NMP Web+ in operational or industrial environments, especially administrators responsible for authentication, access control, and patch management.

Technical summary

The advisory identifies MICROSENS NMP Web+ <= 3.2.5 as affected. The core problem is that JWTs do not expire, so token validity is not properly time-limited. CISA assigns CVSS v3.1 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating a network-reachable issue with no privileges or user interaction required and a high integrity impact.

Defensive priority

High. This affects access control and can permit unauthorized system access; patching should be prioritized for exposed or operational deployments.

Recommended defensive actions

• Update MICROSENS NMP Web+ to version 3.3.0 for Windows and Linux as recommended by the vendor.
• Inventory all MICROSENS NMP Web+ deployments and confirm whether any instances are running version 3.2.5 or earlier.
• Review authentication and session-management controls for affected systems, including token handling and administrative access pathways.
• Restrict network exposure to NMP Web+ management interfaces until remediation is complete.
• After upgrading, verify that access tokens and sessions follow expected expiration and revocation behavior.

Evidence notes

CISA’s CSAF advisory ICSA-25-175-07, published 2025-06-24, states that MICROSENS NMP Web+ products at version <= 3.2.5 contain JSON Web Tokens (JWT) that do not expire and that this could allow an attacker to gain access to the system. The advisory’s remediation is to update to NMP Web+ version 3.3.0 for Windows and Linux. The supplied CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N with a score of 7.5 (HIGH).

Official resources