PatchSiren cyber security CVE debrief
CVE-2025-0681 New Rock Technologies CVE debrief
CVE-2025-0681 affects New Rock Technologies Cloud Connected Devices, including OM500 IP-PBX, MX8G VoIP Gateway, and NRP1302/P Desktop IP Phone. The advisory says the Cloud MQTT service supports wildcard topic subscription, which could let an attacker obtain sensitive information by tapping service communications. CISA assigns the issue a medium CVSS 3.1 score of 6.2, with confidentiality impact only.
- Vendor
- New Rock Technologies
- Product
- OM500 IP-PBX
- CVSS
- MEDIUM 6.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-01-30
- Original CVE updated
- 2025-01-30
- Advisory published
- 2025-01-30
- Advisory updated
- 2025-01-30
Who should care
Organizations that operate or support affected New Rock Technologies cloud-connected voice and IP-telephony devices, especially OM500 IP-PBX, MX8G VoIP Gateway, and NRP1302/P Desktop IP Phone deployments.
Technical summary
The supplied CISA CSAF advisory states that the affected products' Cloud MQTT service allows wildcard topic subscription. In that configuration, an attacker may be able to observe service communications and obtain sensitive information. The supplied CVSS vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating a confidentiality-focused issue with no integrity or availability impact in the advisory data.
Defensive priority
Moderate. Prioritize inventorying affected devices, validating whether the Cloud MQTT service is exposed or needed, and applying compensating controls because the supplied advisory does not identify a vendor fix and says New Rock Technologies had not responded to CISA's mitigation requests.
Recommended defensive actions
- Identify all deployments of the affected New Rock Technologies products and confirm whether they match the advisory's affected versions.
- Review whether Cloud MQTT functionality is required; if not, disable or isolate it according to vendor guidance and internal change control.
- Restrict network access to management and service interfaces using segmentation and least-privilege network rules.
- Monitor service and MQTT-related traffic for unexpected subscriptions or anomalous access patterns.
- Contact New Rock Technologies customer support for current mitigation or remediation guidance, as directed by the advisory.
- Follow CISA ICS recommended practices and other official defense-in-depth guidance for compensating controls.
Evidence notes
The CISA CSAF advisory ICSA-25-030-02 (published 2025-01-30) is the primary source and names the affected products and vulnerability description. The advisory notes the Cloud MQTT wildcard subscription issue and includes the CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. It also states that New Rock Technologies had not responded to requests to work with CISA to mitigate the vulnerabilities.
Official resources
-
CVE-2025-0681 CVE record
CVE.org
-
CVE-2025-0681 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA initially published advisory ICSA-25-030-02 and the corresponding CVE record on 2025-01-30T07:00:00.000Z. This debrief uses that publication date as the issue timeline reference.