CVE-2025-59780: Lynx+ Gateway Auth Bypass Vulnerability

CVE-2025-59780 Overview

CVE-2025-59780 is a missing authentication vulnerability [CWE-306] affecting the General Industrial Controls Lynx+ Gateway. The embedded web server fails to enforce authentication on incoming requests. Unauthenticated attackers with network access can issue HTTP GET requests to retrieve sensitive device information. The flaw is reachable remotely without user interaction or prior credentials. CISA published advisory ICSA-25-317-08 covering this issue in operational technology (OT) environments.

Critical Impact

Remote, unauthenticated attackers can extract sensitive configuration and device information from Lynx+ Gateway units exposed to reachable networks, providing reconnaissance data that supports follow-on attacks against industrial control systems.

Affected Products

• General Industrial Controls Lynx+ Gateway (embedded web server)
• Industrial control system (ICS) deployments using the Lynx+ Gateway
• Operational technology (OT) networks exposing the gateway HTTP interface

Discovery Timeline

• 2025-11-15 - CVE-2025-59780 published to the National Vulnerability Database (NVD)
• 2025-11-15 - CISA publishes ICS Advisory ICSA-25-317-08
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-59780

Vulnerability Analysis

The Lynx+ Gateway exposes an embedded web server intended for device management. That web server does not authenticate inbound HTTP requests before serving responses. As a result, a remote actor can issue arbitrary GET requests against the gateway and receive sensitive device information in response.

The vulnerability is classified as Missing Authentication for Critical Function [CWE-306]. Attackers do not need credentials, tokens, or session state. The attack vector is network-based and requires no user interaction. Information disclosed through this interface can include device identifiers, configuration parameters, and runtime data useful for fingerprinting and lateral movement.

While the issue itself is an information disclosure flaw, ICS reconnaissance directly enables targeted attacks against process control infrastructure. Adversaries commonly chain exposed device data with protocol-level attacks against industrial assets.

Root Cause

The embedded web server omits authentication checks on endpoints that return sensitive device data. The HTTP request handler returns responses based solely on the request path, with no verification of caller identity. This represents a design-level access control failure rather than an implementation bug in a specific function.

Attack Vector

Exploitation requires only network reachability to the gateway's HTTP service. An attacker sends a standard GET request to information-returning endpoints and parses the response. No authentication header, cookie, or pre-shared key is required. Gateways exposed to the internet, business networks, or flat OT networks are reachable to any host that can route to them. See the CISA ICS Advisory ICSA-25-317-08 for vendor-coordinated technical details.

Detection Methods for CVE-2025-59780

Indicators of Compromise

• Unauthenticated HTTP GET requests to Lynx+ Gateway management endpoints originating from unexpected source addresses
• HTTP 200 responses from the gateway web server without preceding authentication exchanges
• Repeated GET request patterns consistent with automated enumeration or scraping of device pages
• Outbound connections from OT network segments to attacker infrastructure following gateway reconnaissance

Detection Strategies

• Inspect network traffic for HTTP requests directed at Lynx+ Gateway IP addresses and flag any access originating outside an approved management subnet
• Correlate gateway HTTP access events with asset inventory to identify rogue scanning hosts
• Apply intrusion detection signatures that match GET requests to known Lynx+ Gateway information endpoints

Monitoring Recommendations

• Enable full packet capture or NetFlow on segments that contain Lynx+ Gateway devices
• Forward firewall and switch logs covering OT subnets into a centralized analytics platform for retention and search
• Alert on any non-management host issuing HTTP traffic to gateway addresses
• Baseline normal management traffic patterns and trigger on deviations such as new source addresses or unusual request rates

How to Mitigate CVE-2025-59780

Immediate Actions Required

• Remove Lynx+ Gateway devices from direct internet exposure and verify no port forwarding rules permit external HTTP access
• Restrict access to the gateway web server to a dedicated management VLAN using firewall access control lists
• Audit recent gateway HTTP traffic for unauthorized GET requests and investigate any unexpected source addresses
• Contact General Industrial Controls for vendor remediation guidance referenced in ICSA-25-317-08

Patch Information

No fixed version is listed in the published NVD record at the time of writing. Refer to the CISA ICS Advisory ICSA-25-317-08 and the CSAF advisory data for the most current vendor mitigation status. Apply firmware updates from General Industrial Controls as they become available.

Workarounds

• Place Lynx+ Gateway units behind a properly segmented OT firewall and block all inbound HTTP from non-management networks
• Require operators to access the gateway only through a hardened jump host with multi-factor authentication and session logging
• Disable the embedded web server interface where the device permits configuration via an alternate, authenticated channel
• Follow CISA guidance on ICS defense-in-depth, including network isolation, VPN-only remote access, and continuous monitoring

# Configuration example: restrict gateway HTTP access to a management subnet
# Replace 10.10.50.0/24 with your authorized management network
# Replace 192.168.20.10 with the Lynx+ Gateway IP

iptables -A FORWARD -s 10.10.50.0/24 -d 192.168.20.10 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d 192.168.20.10 -p tcp --dport 80 -j DROP
iptables -A FORWARD -d 192.168.20.10 -p tcp --dport 443 -j DROP