CVE-2025-29270
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-31

Last updated on: 2025-11-04

Assigner: MITRE

Description
Incorrect access control in the realtime.cgi endpoint of Deep Sea Electronics devices DSE855 v1.1.0 to v1.1.26 allows attackers to gain access to the admin panel and complete control of the device.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-31
Last Modified
2025-11-04
Generated
2026-06-16
AI Q&A
2025-11-01
EPSS Evaluated
2026-06-15
NVD
CVE-2025-29270
EUVD
EUVD-2025-37375
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
deep_sea_electronics dse855 1.1.0
deep_sea_electronics dse855 1.0.26
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-29270 is an authentication bypass vulnerability in the DSE855 Communications Device by Deep Sea Electronics. The device has an exposed endpoint, /realtime.cgi, which leaks sensitive information including session identifiers (SIDs), user IDs, user roles, and network status without requiring authentication. Attackers can retrieve the SID from this endpoint, inject it into their browser cookies, and then access the administrative interface at /secure/index.html without proper authentication, gaining full control over the device. [1]

Impact Analysis

This vulnerability allows attackers to gain unauthorized administrative access to the DSE855 device, enabling them to fully control the device remotely. Since the device is used for remote monitoring and control of power generation and other critical systems, exploitation could lead to unauthorized changes, disruption of operations, or compromise of the managed systems, potentially causing significant operational and security impacts. [1]

Detection Guidance

You can detect this vulnerability by attempting to access the `/realtime.cgi` endpoint on the DSE855 device to see if it discloses sensitive information such as session identifiers (SID), user IDs, and user roles without authentication. For example, using a command like `curl http://<device-ip>/realtime.cgi` can reveal if the endpoint is exposed. If the response contains session identifiers or sensitive device status information without requiring authentication, the device is vulnerable. [1]

Mitigation Strategies

Immediate mitigation steps include restricting network access to the DSE855 device's web interface, especially the `/realtime.cgi` and `/secure/index.html` endpoints, by implementing firewall rules or network segmentation to limit access only to trusted users. Additionally, monitor and audit access logs for suspicious activity. If possible, update the device firmware to a version that addresses this vulnerability once available from the vendor. Until a patch is applied, avoid exposing the device's management interface to untrusted networks. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-29270. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart