Blog HackRTU

‹ Regresar

FIVE NEW CVEs IN CIRCUTOR'S TCPRS1+ DEVICE

 

CHRONICLES OF THE GALAXY

 

 

Juakin PLC Walker and DAV-25 had spent their last few weeks locked away in the laboratory; the Jedi's work against vulnerable devices never stops. Juakin had been working behind the scenes, altruistically, to detect new vulnerabilities in industrial devices that would help manufacturers improve their products and make the galaxy safer.

In his latest research project, he had analyzed some physical media conversion gateways (between Modbus RTU and Modbus TCP/IP) from the manufacturer Circutor. Specifically, the model analysed was the TCPRS1+.

In addition to its physical media conversion capability, the TCPRS1+ features Wi-Fi communications, an integrated web server with an intuitive interface, and an application, MyConfig, for quick and easy configuration. Its features include the following:

• Automation of supply infrastructures through integration with PLC or BMS (Building Management System).
• Monitoring and control of Modbus RTU devices from cloud platforms or centralised supervision systems.
• Modernisation of existing installations by adding TCP/IP connectivity without modifying the cabling.

Specifically, these were the details of the affected device:

• Specific model: TCPRS1+
• Revised firmware version:
  • 1.0.14

Thanks to the information reported by Juakin PLC Walker to the S21sec CNA and the great work of its employees, five vulnerabilities have been published, with the following CVE IDs

• CVE-2025-64385: Incorrect security validation in sending UDP frames
  • CVSS v4.0: 9.2
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:L/SA:H
  • CWE-20: Improper Input Validation
  • EPSS: 0,135%
• CVE-2025-64386: Hijacking of the token and gaining access
  • CVSS v4.0: 7.7
  • CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
  • CWE-613: Insufficient Session Expiration
  • EPSS: 0,041%
• CVE-2025-64387: Clickjacking
  • CVSS v4.0: 5.1
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
  • CWE-1021: Improper Restriction of Rendered UI Layers or Frames
  • EPSS: 0,041%
• CVE-2025-64388: Denial of service through specific packets
  • CVSS v4.0: 9.2
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
  • CWE-400: Uncontrolled Resource Consumption
  • EPSS: 0,042%
• CVE-2025-64389: Exchange of sensitive information in clear text
  • CVSS v4.0: 8.3
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:L/SA:H
  • CWE-319: Cleartext Transmission of Sensitive Information
  • EPSS: 0,029%

Throughout this article, we will refer to some of the vulnerabilities detailed above to provide context for the type of attack carried out. However, all evidence/explanations will be generic and will not be directly related to the exploitation of the vulnerabilities detected by our researchers.

CVE-2025-64389 – EXCHANGE OF SENSITIVE INFORMATION IN CLEAR TEXT

This vulnerability refers to the exchange of sensitive information in plain text within the communication operations of the TCPRS1+ device.

Although the vulnerability is simple, the use of insecure communication protocols such as HTTP would allow an attacker to obtain critical network information such as users, credentials, system versions, production values, configurations, etc.

Within the network, the packet sent with the credentials can pass through different intermediate communication nodes, and those with access to that network interface could obtain the information in plain text.

In the case of the TCPRS1+ device, critical information about the device and its management could be obtained. The image above shows an example of the information that an attacker could obtain by intercepting the communication between a user attempting to access a device using a username and password.

Possible mitigations/solutions for this type of vulnerability can be implemented in different ways, including the following (according to MITRE for the CWE-319: Cleartext Transmission of Sensitive Information):

• Before sending information, it is recommended that data be encrypted using reliable cryptographic protocols.
• Use secure communication protocols such as HTTPS throughout the entire session, from login to logout.
• Use servers with encrypted communication channels that include SSL or other secure protocols.

 

CVE-2025-64387 – CLICKJACKING

In the case of vulnerability CVE-2025-64387, our researchers discovered that there were no protections against clickjacking. This vulnerability, also known as a UI redress attack and CWE-1021 (Improper Restriction of Rendered UI Layers or Frames), refers to a type of attack in which a potential victim would click on a website that appears to be legitimate and trustworthy, but in reality, they would be clicking on a malicious website hidden or superimposed on the legitimate website.

In summary, this type of attack involves placing an invisible element on a legitimate page, causing users to interact with the original website but clicking on an invisible layer above the legitimate one.

There are a wide variety of clickjacking attacks, including the following: Cursor clickjacking, a type of attack in which the user's cursor is moved across the screen and made to perform an action without the user realising. There is also fake like clickjacking, in which an attacker superimposes a Like button on a social media post and, once the user clicks on it, performs the malicious action prepared by the attacker.

This type of vulnerability is no longer as common, but there have been a wide variety of well-known attacks using this technique. Likewise, there are different mitigation/solution measures for the problem. For example, OWASP considers the following potential solutions to prevent or mitigate clickjacking attacks:

• Send the appropriate response headers based on the Content Security Policy (CSP), which would instruct the browser not to allow changes to frames from other browsers
• Correctly configure authentication cookies with the SameSite=Strict (or Lax) tag to ensure greater security.
• Use specific code to ensure that the user interface is the correct frame.

In addition, OWASP recommends reviewing the clickjacking reference sheet, which provides defensive recommendations for developers, as a defensive measure against clickjacking.

All recommendations provided by our team of technicians are generic recommendations. To remedy the specific problems of vulnerabilities CVE-2025-64385, CVE-2025-64386, CVE-2025-64387, CVE-2025-64388 and CVE-2025-64389, HackRTU recommends accessing the advisory generated by S21sec in relation to the vulnerabilities and implementing the solutions/mitigations proposed by the manufacturer Circutor.

 

 

EQUIPO DE HACKRTU