CVE-2025-0680

Critical

Published: 30 January 2025

Published

30 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0186 83.2th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

Affected products contain a vulnerability in the device cloud rpc command handling process that could allow remote attackers to take control over arbitrary devices connected to the cloud.

Security Summary

CVE-2025-0680 is a critical vulnerability in the device cloud RPC command handling process present in affected products. Classified under CWE-78, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its severe potential impact due to network accessibility, low attack complexity, and no requirements for privileges or user interaction.

Remote, unauthenticated attackers can exploit this vulnerability to gain control over arbitrary devices connected to the cloud service. Exploitation enables high-impact compromise of confidentiality, integrity, and availability, potentially allowing full takeover of targeted devices.

Mitigation guidance is available in CISA ICS Advisory ICSA-25-030-02 at https://www.cisa.gov/news-events/ics-advisories/icsa-25-030-02, along with vendor resources at https://www.newrocktech.com/ContactUs/index.html.

Details

CWE(s): CWE-78

References

https://www.cisa.gov/news-events/ics-advisories/icsa-25-030-02
ics-cert@hq.dhs.gov
https://www.newrocktech.com/ContactUs/index.html
ics-cert@hq.dhs.gov