CVE-2025-27615

CVE-2025-27615, published on 2025-03-10, affects umatiGateway, an open-source software application designed to connect OPC Unified Architecture (OPC UA) servers with an MQTT broker using JSON messages. The vulnerability stems from the user interface potentially being publicly accessible when umatiGateway is deployed via the provided docker-compose file. This exposure allows unauthorized remote access to view and alter the application's configuration. It carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H) and is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).

Any network-accessible attacker can exploit this vulnerability without privileges or user interaction by directly connecting to the exposed UI on port 8080. Exploitation enables viewing sensitive configuration details and modifying settings, which could compromise the integrity of the gateway's operations (low impact per CVSS) and disrupt availability (high impact), such as by altering connectivity between OPC UA servers and the MQTT broker.

Mitigation is provided in commit 5d81a3412bc0051754a3095d89a06d6d743f2b16, which updates the docker-compose configuration to bind the UI to 127.0.0.1:8080:8080, thereby restricting access to the local network only. For deployments unable to apply this patch immediately, blocking inbound traffic on port 8080 via a firewall is advised as a workaround, though it may not fully prevent access due to Docker's iptables-based port forwarding rules. Further details are documented in the GitHub security advisory GHSA-qf9w-x9qx-2mq7, pull request 101, and related README updates.