Cyber Resilience

CVE-2025-64309

High

Published: 15 November 2025

Published
15 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0011 29.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64309 is a high-severity Unprotected Transport of Credentials (CWE-523) vulnerability in Brightpick Mission Control (inferred from references). Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-64309 is a high-severity information disclosure vulnerability (CVSS 8.6, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) affecting Brightpick Mission Control software, associated with CWE-523. The flaw allows unauthenticated users to access device telemetry, configuration, and credential information through WebSocket traffic by connecting to a specific URL. This URL is discoverable via basic network scanning techniques, exposing sensitive data without authentication.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation grants access to confidential operational data, including credentials, potentially enabling further reconnaissance, lateral movement, or disruption in environments relying on Brightpick Mission Control for device management.

CISA has published ICS Advisory ICSA-25-317-04 detailing the issue, available at https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-04, along with a corresponding CSAF file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-317-04.json. Vendor contact information is provided at https://brightpick.ai/contact-us/ for mitigation guidance and patches.

EU & UK References

Vulnerability details

Brightpick Mission Control discloses device telemetry, configuration, and credential information via WebSocket traffic to unauthenticated users when they connect to a specific URL. The unauthenticated URL can be discovered through basic network scanning techniques.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1589.001 Credentials Reconnaissance
Adversaries may gather credentials that can be used during targeting.
T1592.004 Client Configurations Reconnaissance
Adversaries may gather information about the victim's client configurations that can be used during targeting.
Why these techniques?

Unauthenticated exposure of credentials, device configurations, and telemetry via public-facing WebSocket enables T1190 exploitation and directly facilitates pre-compromise reconnaissance of victim credentials (T1589.001) and client configurations (T1592.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-1509Shared CWE-523
CVE-2025-61916Shared CWE-523

Affected Assets

Brightpick
Mission Control
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly identifies and restricts actions performable without identification or authentication, preventing unauthenticated access to the sensitive WebSocket endpoint exposing telemetry, configuration, and credentials.

prevent

Enforces approved authorizations and protections for publicly accessible system resources, mitigating exposure of sensitive data via discoverable unauthenticated WebSocket URLs.

prevent

Mandates enforcement of access control policies to block unauthorized logical access to sensitive information disclosed over the unauthenticated WebSocket connection.

References