CVE-2025-67135 Overview
A critical authentication bypass vulnerability exists in the PGST PG107 Alarm System 1.25.05.hf due to weak security implementation in the PF-50 1.2 keyfob. This vulnerability allows attackers to compromise access control via a code replay attack (CWE-294: Authentication Bypass by Capture-replay). The flaw enables unauthorized individuals to intercept and replay authentication codes transmitted between the keyfob and the alarm system, effectively bypassing physical security controls.
Critical Impact
Attackers can bypass alarm system authentication by capturing and replaying keyfob signals, potentially gaining unauthorized physical access to protected premises.
Affected Products
- PGST PG107 Alarm System version 1.25.05.hf
- PF-50 Keyfob version 1.2
Discovery Timeline
- 2026-02-11 - CVE CVE-2025-67135 published to NVD
- 2026-02-12 - Last updated in NVD database
Technical Details for CVE-2025-67135
Vulnerability Analysis
This vulnerability stems from the lack of rolling code or challenge-response authentication mechanisms in the PF-50 keyfob's communication protocol with the PG107 Alarm System. Without cryptographic freshness guarantees, the authentication tokens transmitted wirelessly remain static or predictable, making them susceptible to capture-replay attacks.
The weakness classified under CWE-294 (Authentication Bypass by Capture-replay) indicates that the system fails to adequately protect against an attacker who can intercept legitimate authentication traffic and later replay it to gain unauthorized access. This is particularly concerning for physical security systems where the consequences of bypass can result in unauthorized entry to protected spaces.
Root Cause
The root cause of this vulnerability is the implementation of weak or non-existent anti-replay protections in the keyfob-to-alarm communication protocol. The PF-50 keyfob transmits authentication codes that do not incorporate time-sensitive elements, nonces, or rolling code mechanisms that would invalidate previously captured transmissions. This design flaw allows an adversary with radio frequency capture equipment to record valid authentication sequences and replay them at will.
Attack Vector
The attack is conducted over a network vector, requiring no privileges or user interaction. An attacker positioned within radio frequency range of the target keyfob can use software-defined radio (SDR) equipment to:
- Intercept the wireless signal transmitted when a legitimate user operates the keyfob
- Decode and store the captured authentication code
- Replay the captured signal to the alarm system at a later time, triggering an authenticated action (arm/disarm)
The vulnerability can be exploited without any authentication credentials, and the attack complexity is low since the radio protocol does not employ encryption or replay countermeasures. This allows attackers to compromise the confidentiality, integrity, and availability of the protected system.
For detailed technical information regarding this vulnerability, refer to the NeutSec Security Advisory.
Detection Methods for CVE-2025-67135
Indicators of Compromise
- Unusual or repeated alarm system arm/disarm events occurring without physical keyfob presence
- RF signal anomalies or unexpected transmissions detected near the alarm system's operating frequency
- Multiple authentication events logged in rapid succession from the same keyfob identifier
- Alarm system state changes at times when no authorized users are present
Detection Strategies
- Deploy RF monitoring equipment to detect replay attacks or anomalous wireless transmissions in the alarm system's frequency band
- Implement logging and alerting for authentication events to identify unusual patterns such as rapid successive arm/disarm cycles
- Cross-reference alarm system activity logs with physical access logs or camera footage to identify unauthorized actions
- Monitor for the presence of SDR equipment or suspicious devices near protected premises
Monitoring Recommendations
- Enable comprehensive audit logging on the PG107 Alarm System to capture all arm/disarm events with timestamps
- Implement real-time alerting for alarm state changes, particularly during off-hours or when no authorized personnel are expected
- Consider supplementary intrusion detection systems that do not rely solely on the keyfob authentication mechanism
- Regularly review alarm system logs for anomalies that may indicate replay attack attempts
How to Mitigate CVE-2025-67135
Immediate Actions Required
- Contact PGST for firmware updates or patches that address the replay attack vulnerability
- Consider temporarily disabling keyfob functionality and using alternative authentication methods (keypad codes, mobile app) until a fix is available
- Implement secondary verification mechanisms for alarm system control where possible
- Physically secure the alarm system control panel to prevent tampering
- Review and rotate keyfob pairings if the system supports re-enrollment
Patch Information
No vendor patch information is currently available. Monitor the NeutSec Security Advisory for updates regarding remediation guidance from the vendor. Users should contact PGST directly to inquire about firmware updates that implement rolling codes or other anti-replay mechanisms.
Workarounds
- Implement defense-in-depth by adding secondary alarm systems or sensors that use different authentication mechanisms
- Reduce reliance on keyfob authentication by utilizing keypad PIN codes or mobile application control when available
- Deploy RF shielding or jamming detection systems to identify potential attack attempts
- Establish procedural controls requiring manual verification before responding to alarm state changes
- Consider upgrading to alarm systems that implement modern rolling code or encrypted challenge-response protocols
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
