PatchSiren cyber security CVE debrief
CVE-2025-0680 New Rock Technologies CVE debrief
CVE-2025-0680 is a critical remote compromise issue affecting New Rock Technologies cloud-connected devices. According to CISA, the flaw is in the device cloud RPC command handling process and could allow remote attackers to take control of arbitrary devices connected to the cloud. CISA lists affected products as the OM500 IP-PBX, MX8G VoIP Gateway, and NRP1302/P Desktop IP Phone, with all versions noted as affected in the advisory metadata.
- Vendor
- New Rock Technologies
- Product
- OM500 IP-PBX
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-01-30
- Original CVE updated
- 2025-01-30
- Advisory published
- 2025-01-30
- Advisory updated
- 2025-01-30
Who should care
Organizations that deploy or manage New Rock Technologies OM500 IP-PBX, MX8G VoIP Gateway, or NRP1302/P Desktop IP Phone devices, especially in cloud-connected environments. Security teams responsible for industrial, communications, or device-management networks should prioritize review.
Technical summary
The advisory describes a network-reachable vulnerability in cloud RPC command handling. The supplied CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating no privileges or user interaction are required and that successful exploitation can have high impact on confidentiality, integrity, and availability. The source material does not provide a patched version or mitigation beyond contacting vendor support.
Defensive priority
Immediate. This is a critical, remotely exploitable issue with high potential impact and no required privileges or user interaction.
Recommended defensive actions
- Inventory all New Rock Technologies OM500 IP-PBX, MX8G VoIP Gateway, and NRP1302/P Desktop IP Phone deployments.
- Treat all listed versions as affected until the vendor provides specific remediation guidance.
- Review exposure of cloud-connected management paths and restrict access where possible.
- Monitor CISA and the vendor contact channel for mitigation or update information.
- If these devices are business-critical, plan compensating controls and incident-response validation now.
- Document asset owners and confirm whether any devices are connected to cloud services referenced by the vendor advisory.
Evidence notes
CISA’s CSAF advisory ICSA-25-030-02 states that affected products contain a vulnerability in the device cloud RPC command handling process that could allow remote attackers to take control over arbitrary devices connected to the cloud. The advisory metadata lists New Rock Technologies as the vendor, identifies OM500 IP-PBX, MX8G VoIP Gateway, and NRP1302/P Desktop IP Phone as affected products, and marks them as vers:all/* in the source data. The remediation section notes that New Rock Technologies has not responded to requests to work with CISA to mitigate these vulnerabilities and directs users to contact customer support for more information. Published and modified dates in the supplied record are 2025-01-30T07:00:00Z.
Official resources
-
CVE-2025-0680 CVE record
CVE.org
-
CVE-2025-0680 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2025-01-30 and the supplied record shows no earlier timeline details. The source notes that New Rock Technologies had not responded to CISA mitigation outreach as of publication.