MB-Gateway devices made by industrial automation firm AutomationDirect are exposed to remote attacks — including directly from the internet — due to a critical vulnerability.
The existence of the vulnerability was disclosed on Tuesday by the cybersecurity agency CISA, which noted in its advisory that the vulnerable Modbus gateway product is used worldwide, including in critical infrastructure.
CISA described the vulnerability, which is tracked as CVE-2025-36535 and has a CVSS score of 10, as a missing authentication issue in the product’s embedded webserver, potentially allowing unrestricted remote access.
The agency noted that the product’s hardware limitations prevent the implementation of a proper access control update, and AutomationDirect has advised users to replace the MB-Gateway product with the EKI-1221-CE gateway.
Souvik Kandar, the Microsec researcher who discovered it, told SecurityWeek that the vulnerability can be exploited remotely from the internet and there are over 100 web-exposed devices that may be impacted.
“The issue stems from a lack of authentication on the device’s embedded web interface. Anyone with internet access can reach the configuration panel without any credentials,” Kandar explained.
“The exposed interface leaks sensitive device parameters such as internal IPs, firmware versions, Modbus configuration, and serial communication settings,” he added.
According to the researcher, exploitation of the vulnerability can have a critical impact in some industrial environments.
An attacker could remotely modify device configurations, disrupt or manipulate Modbus communications between systems, obtain detailed network and system information for lateral movement, and in certain configurations (depending on how the gateway is integrated and what functions are exposed) an attacker could be able to execute arbitrary code.
Learn More at SecurityWeek’s ICS Cybersecurity Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
October 27-30, 2025 | Atlanta
www.icscybersecurityconference.com
Related: Up to 25% of Internet-Exposed ICS Are Honeypots
Related: Critical Vulnerabilities Found in Planet Technology Industrial Networking Products
Related: Lantronix Device Used in Critical Infrastructure Exposes Systems to Remote Hacking
