The equipment initially can be configured using the manufacturer's application, by Wi-Fi, by the web server or with the manufacturer’s software.
Using the manufacturer's software, the device can be configured via UDP. Analyzing this communication, it has been observed that any aspect of the initial configuration can be changed by means of the device's MAC without the need for authentication.
1.0.14 - AFFECTED
https://cds.thalesgroup.com/es/s21sec
https://circutor.com/productos/iot-industrial-y-automatizacion/conversores-y-pasarelas/product/D80010./
The equipment initially can be configured using the manufacturer's application, by Wi-Fi, by the...
https://github.com/advisories/GHSA-x2wp-8726-qw87The equipment initially can be configured using the manufacturer's application, by Wi-Fi, by the web server or with the manufacturer’s software. Using the manufacturer's software, the device can be configured via UDP. Analyzing this communication, it has been observed that any aspect of the initial configuration can be changed by means of the device's MAC without the need for authentication.
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2025-64385",
"assignerOrgId": "50b5080a-775f-442e-83b5-926b5ca517b6",
"assignerShortName": "S21sec",
"dateUpdated": "2025-10-31T14:23:06.442Z",
"dateReserved": "2025-10-31T13:13:35.298Z",
"datePublished": "2025-10-31T14:23:06.442Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "50b5080a-775f-442e-83b5-926b5ca517b6",
"shortName": "S21sec",
"dateUpdated": "2025-10-31T14:23:06.442Z"
},
"title": "INCORRECT SECURITY VALIDATION IN SENDING UDP FRAMES",
"descriptions": [
{
"lang": "en",
"value": "The equipment initially can be configured using the manufacturer's application, by Wi-Fi, by the web server or with the manufacturer’s software.\nUsing the manufacturer's software, the device can be configured via UDP. Analyzing this communication, it has been observed that any aspect of the initial configuration can be changed by means of the device's MAC without the need for authentication.",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "The equipment initially can be configured using the manufacturer's application, by Wi-Fi, by the web server or with the manufacturer’s software.<br>Using the manufacturer's software, the device can be configured via UDP. Analyzing this communication, it has been observed that any aspect of the initial configuration can be changed by means of the device's MAC without the need for authentication."
}
]
}
],
"affected": [
{
"vendor": "Circutor",
"product": "TCPRS1plus",
"defaultStatus": "unknown",
"versions": [
{
"version": "1.0.14",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-20 Improper Input Validation",
"cweId": "CWE-20",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://cds.thalesgroup.com/es/s21sec"
},
{
"url": "https://circutor.com/productos/iot-industrial-y-automatizacion/conversores-y-pasarelas/product/D80010./",
"tags": [
"product"
]
}
],
"impacts": [
{
"capecId": "CAPEC-10",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-10 Buffer Overflow via Environment Variables"
}
]
},
{
"capecId": "CAPEC-101",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-101 Server Side Include (SSI) Injection"
}
]
}
],
"metrics": [
{
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"solutions": [
{
"lang": "en",
"value": "This service has been removed in the new version.",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "This service has been removed in the new version.<br>"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Víctor Bello Cuevas",
"type": "finder"
},
{
"lang": "en",
"value": "Aarón Flecha Menéndez",
"type": "finder"
}
]
}
}
}