CVE-2025-64097
Published: 22 January 2026
Summary
CVE-2025-64097 is a critical-severity Use of Insufficiently Random Values (CWE-330) vulnerability in Nerves-Hub Nerveshub. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 requires secure management of authenticators including generation with cryptographic strength and randomness, directly preventing brute-force guessing of predictable API tokens.
SI-2 mandates timely identification, reporting, and remediation of flaws like predictable token generation, enabling upgrade to the patched version 2.3.0.
AC-7 limits unsuccessful logon attempts via account lockout or rate limiting, partially mitigating brute-force enumeration of API tokens.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Predictable tokens enable network brute-force/enumeration for unauthorized API access to public-facing NervesHub service.
NVD Description
NervesHub is a web service that allows users to manage over-the-air (OTA) firmware updates of devices in the field. A vulnerability present starting in version 1.0.0 and prior to version 2.3.0 allowed attackers to brute-force user API tokens due to…
more
the predictable format of previously issued tokens. Tokens included user-identifiable components and were not cryptographically secure, making them susceptible to guessing or enumeration. The vulnerability could have allowed unauthorized access to user accounts or API actions protected by these tokens. A fix is available in version 2.3.0 of NervesHub. This version introduces strong, cryptographically-random tokens using `:crypto.strong_rand_bytes/1`, hashing of tokens before database storage to prevent misuse even if the database is compromised, and context-aware token storage to distinguish between session and API tokens. There are no practical workarounds for this issue other than upgrading. In sensitive environments, as a temporary mitigation, firewalling access to the NervesHub server can help limit exposure until an upgrade is possible.
Deeper analysisAI
CVE-2025-64097 is a vulnerability in NervesHub, a web service for managing over-the-air (OTA) firmware updates on field devices. Affecting versions from 1.0.0 up to but not including 2.3.0, the issue stems from predictably formatted user API tokens that incorporate user-identifiable components and lack cryptographic security. This design flaw, classified under CWE-330 (Use of Insufficiently Random Values), enables brute-force guessing or enumeration of tokens, with a CVSS v3.1 base score of 9.8 indicating critical severity (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. By leveraging the predictable token structure, adversaries can enumerate or guess valid tokens, gaining unauthorized access to affected user accounts and executing API actions protected by those tokens, such as managing device firmware updates.
The fix is implemented in NervesHub version 2.3.0, which generates strong, cryptographically random tokens using `:crypto.strong_rand_bytes/1`, hashes tokens prior to database storage to mitigate compromise risks, and employs context-aware storage to differentiate session and API tokens. No practical workarounds exist beyond upgrading, though firewalling access to the NervesHub server offers temporary exposure reduction in sensitive environments. Details are available in the GitHub security advisory (GHSA-m9vj-776q-vc8m), pull request #2024, and release notes for v2.3.0.
Details
- CWE(s)