CVE-2025-7357 Overview
CVE-2025-7357 is a cleartext credential storage vulnerability affecting LITEON IC48A and IC80A industrial control device firmware. The affected firmware stores File Transfer Protocol (FTP) server access credentials in plaintext within system logs. An attacker with access to these logs can read the credentials and authenticate to the associated FTP server. The vulnerability is tracked under CWE-256: Plaintext Storage of a Password and was published as part of CISA ICS Advisory ICSA-25-196-03.
Critical Impact
Attackers who obtain system log access can extract FTP credentials in cleartext, enabling unauthorized access to associated file transfer infrastructure in operational technology (OT) environments.
Affected Products
- LITEON IC48A firmware versions prior to 01.00.19r
- LITEON IC80A firmware versions prior to 01.01.12e
- Industrial control system deployments using the affected LITEON firmware
Discovery Timeline
- 2025-07-16 - CVE-2025-7357 published to the National Vulnerability Database (NVD)
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-7357
Vulnerability Analysis
The vulnerability stems from the firmware writing FTP authentication material directly into system logs without masking, hashing, or encryption. Logs are typically retained for diagnostic and operational purposes, but in this case they double as a credential disclosure channel. Any user, process, or remote service capable of reading the logs can recover the FTP username and password verbatim.
Because the affected devices are deployed in industrial environments, log access often extends beyond a single administrator. Engineering workstations, monitoring systems, and remote support tools commonly aggregate device logs. Each of these consumers becomes an additional path to credential exposure.
Once harvested, the credentials grant attackers access to the FTP server used by the device, which may host firmware images, configuration backups, or process data. This creates downstream risks including configuration tampering, firmware substitution, and lateral movement into adjacent OT segments.
Root Cause
The root cause is insecure credential handling in the logging subsystem [CWE-256]. The firmware fails to redact secrets before persisting log entries, treating sensitive authentication data the same as routine operational events.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker who can retrieve system logs through a network-accessible interface, log forwarding mechanism, or compromised log collector can extract the cleartext FTP credentials. No exploitation code is required because the credentials are present in their usable form within standard log output. See the vulnerability mechanism details in the CISA ICS Advisory ICSA-25-196-03.
Detection Methods for CVE-2025-7357
Indicators of Compromise
- Unexpected FTP authentication events on LITEON-associated FTP servers from unfamiliar source addresses
- Access to device log files or log export endpoints by accounts that do not normally perform diagnostics
- Outbound transfers of system log archives to external destinations
- File modifications or uploads on the FTP server outside scheduled maintenance windows
Detection Strategies
- Inspect LITEON IC48A and IC80A system logs for entries containing FTP usernames or password strings in cleartext
- Correlate FTP authentication attempts with log retrieval activity on the same device
- Monitor for log file reads through web interfaces, SNMP, syslog forwarding, or maintenance protocols
- Compare firmware version banners against the fixed releases 01.00.19r (IC48A) and 01.01.12e (IC80A)
Monitoring Recommendations
- Forward device logs to a centralized SIEM and apply rules that flag cleartext credential patterns within log payloads
- Track FTP login geolocation and source IP anomalies for accounts tied to LITEON devices
- Alert on any new account or unusual file activity on FTP servers paired with the affected hardware
- Audit which users and services have read access to device system logs and review on a recurring basis
How to Mitigate CVE-2025-7357
Immediate Actions Required
- Upgrade LITEON IC48A firmware to 01.00.19r or later and IC80A firmware to 01.01.12e or later
- Rotate all FTP credentials that may have been written to logs on affected devices
- Purge existing system logs from affected devices and any downstream log stores that retained them
- Restrict network reachability of device management and log interfaces to a dedicated administrative segment
Patch Information
LITEON has released fixed firmware versions that address the cleartext logging issue. Apply firmware 01.00.19r for IC48A and 01.01.12e for IC80A. Coordinate updates through standard OT change management and validate device operation post-upgrade. Reference the CISA ICS Advisory ICSA-25-196-03 for vendor-provided remediation guidance.
Workarounds
- Place affected devices behind a firewall and block external access to management ports and log interfaces
- Disable or restrict log export features until the firmware update is applied
- Use unique, dedicated FTP credentials per device so disclosure on one unit does not extend access elsewhere
- Enforce network segmentation between OT assets and corporate IT networks following ISA/IEC 62443 zone and conduit guidance
# Configuration example: restrict management and log access to an admin subnet
iptables -A INPUT -p tcp -s 10.10.20.0/24 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 10.10.20.0/24 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
iptables -A INPUT -p tcp --dport 21 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

