CVE-2025-64386 Overview
CVE-2025-64386 is a session management vulnerability affecting Circutor industrial equipment. The device issues a JSON Web Token (JWT) for each web session, but the server fails to invalidate previously issued tokens during an active session. An attacker who obtains an old JWT can replay it against the web server and gain access to the active session without alerting the legitimate user. Once authenticated through the stolen token, the attacker can modify security parameters, change access settings, or fully hijack the session. The flaw is tracked under CWE-613: Insufficient Session Expiration.
Critical Impact
An attacker holding a captured JWT can reuse it during an active session to take over administrative functions on the affected industrial gateway, with no notification to the legitimate user.
Affected Products
- Circutor industrial IoT gateway and conversion equipment (see Circutor Product Information)
- Web management interface issuing JWT-based session tokens
- Deployments exposing the device web server to reachable networks
Discovery Timeline
- 2025-10-31 - CVE-2025-64386 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-64386
Vulnerability Analysis
The affected equipment authenticates web users by issuing a JWT for each login. The server treats any signature-valid JWT as authoritative for session state. It does not bind tokens to a single active session, does not track issued token identifiers (jti), and does not revoke prior tokens when a new session begins. As a result, an attacker possessing an older JWT for the same account can reuse it in parallel with the legitimate user.
The attacker gains the same privileges as the legitimate user. This includes changing security settings, modifying access control parameters, and reading or altering device telemetry. The legitimate session remains active and receives no indication of the parallel access. The vulnerability requires network reach to the device web interface and user interaction to capture or surface the token.
Root Cause
The root cause is insufficient session expiration [CWE-613]. The web server validates JWTs solely by signature and expiry claim. It maintains no server-side session registry, so revoking, rotating, or invalidating a token on re-login is not possible. Stateless JWT validation without a deny list or token binding leaves replay as a viable attack path.
Attack Vector
An attacker first obtains a valid JWT through one of several routes. These include sniffing unencrypted or weakly protected HTTP traffic, recovering tokens from browser storage, or capturing tokens through a phishing or man-in-the-middle scenario. The attacker then submits the captured token in the Authorization header to authenticated endpoints on the device web server. The server accepts the token as long as the signature is valid and the expiration has not passed, granting full session privileges. Detailed analysis is available in the Hackrtu Blog on 0-Day Analysis.
Detection Methods for CVE-2025-64386
Indicators of Compromise
- Concurrent authenticated requests carrying the same JWT jti or iat value from different source IP addresses
- Configuration or access-control changes on the device that do not correlate with the legitimate user's activity window
- JWT reuse across sessions after a new login event was recorded on the device
- Unexpected modifications to security parameters in the device audit log
Detection Strategies
- Inspect web server access logs for repeated use of identical JWT identifiers across distinct client fingerprints or source addresses
- Correlate device administrative actions with originating IP, user-agent, and login timestamps to surface deviations
- Alert on changes to authentication, role assignment, or network configuration outside maintenance windows
Monitoring Recommendations
- Forward device web server and audit logs to a centralized log platform for cross-session correlation
- Monitor north-south traffic to the device management interface for plaintext token exposure or unexpected client geographies
- Track failed and successful authentication events and compare them against active session counts to detect anomalies
How to Mitigate CVE-2025-64386
Immediate Actions Required
- Restrict network access to the device web interface using firewall rules or a management VLAN, allowing only trusted administrative hosts
- Force TLS for all management traffic and disable any HTTP fallback to prevent token capture in transit
- Rotate credentials on affected accounts and invalidate any long-lived tokens currently in use
- Review device audit logs for unauthorized configuration changes since deployment
Patch Information
No vendor patch reference is published in the available data. Operators should contact Circutor and consult the Hackrtu Blog on 0-Day Analysis and Thales Group Security Overview for updates. Apply firmware updates as soon as the vendor releases a fix.
Workarounds
- Place the device behind a reverse proxy that enforces short token lifetimes and rejects reused token identifiers
- Require VPN access to reach the management interface, eliminating direct network exposure
- Reduce session duration through any available device configuration and instruct operators to log out promptly after administrative tasks
- Segment the industrial network so that only dedicated engineering workstations can reach the device
# Example firewall rule restricting management access to a single jump host
iptables -A INPUT -p tcp --dport 443 -s 10.10.20.5 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
