CVE-2025-2079 Overview
CVE-2025-2079 affects the Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool, version 3.1.2rc11. The products embed a hard-coded secret key used for JSON Web Token (JWT) session signing. An attacker who learns this key can forge valid JWT sessions and impersonate authenticated users. The flaw is classified under [CWE-547: Use of Hard-coded, Security-relevant Constants]. CISA published advisory ICSA-25-070-02 describing the issue, which affects building automation and industrial control environments running these BACnet capture tools.
Critical Impact
Remote, unauthenticated attackers can forge JWT session tokens and gain authenticated access to the capture tool, exposing BACnet network captures and operational visibility.
Affected Products
- Optigo Networks Visual BACnet Capture Tool version 3.1.2rc11
- Optigo Visual Networks Capture Tool version 3.1.2rc11
- Industrial control system deployments using these tools for BACnet packet inspection
Discovery Timeline
- 2025-03-13 - CVE-2025-2079 published to NVD and CISA ICS Advisory ICSA-25-070-02 released
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-2079
Vulnerability Analysis
The vulnerability stems from a hard-coded secret key compiled into the Optigo Networks Visual BACnet Capture Tool and the Optigo Visual Networks Capture Tool. Both products use this key as the signing secret when issuing JWT session tokens. Because the secret is identical across every installation, any attacker who extracts it from one copy of the binary can sign tokens accepted by every deployment.
JWT tokens consist of a header, payload, and signature. The signature ties the payload to a server-held secret. When that secret is static and shared across installations, the signature provides no real authentication assurance. An attacker can craft a token claiming any user identity, sign it with the recovered key, and present it to the application.
The issue maps to [CWE-547] and is reachable over the network without prior authentication or user interaction, since JWTs are presented during normal session establishment. Successful exploitation grants the attacker the privileges of the impersonated session, including access to captured BACnet traffic from the target environment.
Root Cause
The root cause is embedding a cryptographic secret directly into application code or configuration shipped to customers. Secret rotation, per-tenant key derivation, and key storage outside the binary were not implemented. Every instance of version 3.1.2rc11 therefore shares the same JWT signing secret.
Attack Vector
An attacker reverse-engineers the application binary or configuration to recover the hard-coded key. Using a standard JWT library, the attacker then constructs a token with an administrator or operator claim set and signs it with the recovered secret. Submitting the forged token to the capture tool's web interface yields an authenticated session without credentials. Network access to the management interface is the only prerequisite.
No verified public exploit code is available for this vulnerability. See the CISA ICS Advisory ICSA-25-070-02 for vendor and coordination details.
Detection Methods for CVE-2025-2079
Indicators of Compromise
- Authenticated sessions on the capture tool originating from IP addresses not associated with operator workstations
- JWT tokens presented to the application that do not correspond to a prior interactive login event in audit logs
- Unexpected access to BACnet capture exports or configuration changes outside maintenance windows
Detection Strategies
- Compare web server access logs against authentication logs to surface sessions that lack a preceding login transaction
- Alert on management-interface access from outside designated engineering workstation subnets
- Inspect JWT iat and exp timestamps for anomalies suggesting tokens minted outside the application server
Monitoring Recommendations
- Forward Optigo capture tool application and web logs to a central SIEM for correlation with network telemetry
- Monitor for new TCP sessions to the capture tool from unexpected source networks, including the internet
- Track configuration export, packet capture download, and user management actions as high-value audit events
How to Mitigate CVE-2025-2079
Immediate Actions Required
- Restrict network access to the Visual BACnet Capture Tool and Visual Networks Capture Tool to trusted engineering workstations using firewall or ACL rules
- Remove direct internet exposure of the management interface and place it behind a VPN or jump host
- Review session and access logs for evidence of unauthorized authenticated activity since deployment of version 3.1.2rc11
Patch Information
Refer to the CISA ICS Advisory ICSA-25-070-02 for vendor-supplied remediation guidance and updated software versions from Optigo Networks. Upgrade affected installations as soon as a fixed release is available from the vendor.
Workarounds
- Segment the capture tool onto an isolated operations VLAN with strict ingress filtering
- Require multi-factor authentication at an upstream reverse proxy that terminates sessions before they reach the tool
- Decommission unused installations of version 3.1.2rc11 until a patched build can be deployed
# Example firewall restriction limiting access to the capture tool to a single engineering subnet
iptables -A INPUT -p tcp --dport 443 -s 10.20.30.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
