CVE-2025-24846
Published: 03 March 2025
Summary
CVE-2025-24846 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Jvn (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).
Deeper analysis
CVE-2025-24846 is an authentication bypass vulnerability (CWE-288) affecting the FutureNet AS series industrial routers provided by Century Systems Co., Ltd. The flaw enables attackers to circumvent authentication controls through a specially crafted request, exposing device information such as the MAC address. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its high confidentiality impact.
A remote unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to obtain sensitive device details, including the MAC address, without needing prior privileges.
Advisories published by JVN (https://jvn.jp/en/vu/JVNVU96398949/) and Century Systems (https://www.centurysys.co.jp/backnumber/common/jvnvu96398949.html) provide further details on the vulnerability, including recommended mitigations and patches. Security practitioners should consult these sources for specific remediation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5806
Vulnerability details
Authentication bypass vulnerability exists in FutureNet AS series (Industrial Routers) provided by Century Systems Co., Ltd. If this vulnerability is exploited, a remote unauthenticated attacker may obtain the device information such as MAC address by sending a specially crafted request.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in network-accessible router management interface enables remote exploitation for unauthorized device information access, directly mapping to exploiting public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to system resources in accordance with policy, directly preventing authentication bypass vulnerabilities like this one.
Requires unique identification and authentication of non-organizational users such as remote unauthenticated attackers before granting access to device information.
Validates information inputs including specially crafted requests that could bypass authentication and expose sensitive device details like MAC addresses.