CVE-2025-64386 Overview
CVE-2025-64386 is a session management flaw affecting a Circutor IoT gateway. The device issues a JSON Web Token (JWT) for each new connection but fails to invalidate prior tokens when a new session begins. An attacker who captures an old JWT can replay it against the web server while the legitimate session is still active. Successful replay grants the attacker the ability to modify security parameters, change access settings, or take over the session without the legitimate user being notified. The weakness is tracked under CWE-613 (Insufficient Session Expiration).
Critical Impact
An attacker holding a stolen JWT can hijack an active administrative session on the gateway and alter security or access configuration silently.
Affected Products
- Circutor IoT industrial gateway (model referenced as D80010)
- Web management interface of the affected equipment
- Session management component issuing JWT tokens
Discovery Timeline
- 2025-10-31 - CVE-2025-64386 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-64386
Vulnerability Analysis
The gateway grants a JWT to each new browser connection but does not bind the token to an exclusive active session. When a user authenticates and receives a new token, previously issued tokens remain valid on the server. An attacker who has obtained a prior JWT can present it on a parallel request and the web server accepts it as authoritative. The legitimate session continues to function, so the user has no visible indication that a second actor is operating with the same privileges. This category of weakness is classified as Session Hijacking driven by Insufficient Session Expiration [CWE-613]. Exploitation requires user interaction, such as the victim using a compromised network path or device from which the token can be obtained.
Root Cause
The web server enforces only the cryptographic validity and expiry claim of the JWT. It does not maintain a server-side allow-list of currently active session identifiers, nor does it revoke older tokens when a new authentication occurs. As a result, any previously issued, non-expired JWT is treated as a legitimate credential.
Attack Vector
The attack is performed over the network against the gateway's web interface. The attacker must first acquire a valid JWT — for example through traffic interception, a malicious browser extension, or extraction from client storage. The attacker then replays the token in Authorization headers or session cookies. No additional credentials are required, and the legitimate session continues unaffected.
No public proof-of-concept code has been verified. Technical analysis is published in the HackRTU Blog CG 0-Day Analysis.
Detection Methods for CVE-2025-64386
Indicators of Compromise
- Concurrent active sessions on the gateway web interface tied to the same user account from different source IP addresses.
- Repeated use of a JWT jti or signature value across non-overlapping client fingerprints (user-agent, TLS fingerprint).
- Configuration changes to access control or security parameters that do not correlate with logged administrative activity from the legitimate operator.
Detection Strategies
- Inspect the gateway's web access logs for the same JWT being presented from multiple source addresses within a short time window.
- Correlate authentication events with subsequent privileged actions to identify configuration changes lacking a fresh login event.
- Compare the issuance timestamp (iat) of presented tokens against the most recent authentication; tokens older than the latest login should be treated as suspicious.
Monitoring Recommendations
- Forward gateway web server and authentication logs to a central SIEM and alert on duplicate JWT use across distinct client sources.
- Monitor for changes to security, user, and access-control parameters on the device and require an out-of-band confirmation.
- Capture and review network flows to the gateway management interface for connections from unexpected hosts or networks.
How to Mitigate CVE-2025-64386
Immediate Actions Required
- Restrict network access to the gateway management interface to a dedicated administrative VLAN or jump host.
- Force re-authentication for all current sessions and rotate any administrative credentials used on the device.
- Require HTTPS for all management traffic and disable any plaintext management protocols on the gateway.
- Contact Circutor support to confirm the availability of a firmware update addressing the session expiration weakness referenced on the Circutor IoT Gateway product page.
Patch Information
No fixed firmware version is listed in the NVD record at the time of publication. Operators should track vendor advisories from Circutor and the disclosure write-up at the HackRTU Blog CG 0-Day Analysis for remediation availability. Until a patch is applied, treat the device as exposed to session replay.
Workarounds
- Place the gateway behind a reverse proxy that enforces server-side session binding to source IP and TLS client fingerprint.
- Reduce the JWT lifetime on the device, if configurable, to the shortest practical interval to limit the replay window.
- Terminate management sessions explicitly after each administrative task rather than relying on token expiry.
- Segment the OT network so that the gateway management plane is not reachable from general-purpose IT endpoints.
# Example: restrict management interface access with iptables on an upstream gateway
iptables -A FORWARD -p tcp -d <gateway_ip> --dport 443 -s <admin_jumphost_ip> -j ACCEPT
iptables -A FORWARD -p tcp -d <gateway_ip> --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

