Security Flaw in UNI-NMS-Lite Allows Unauthenticated Access to Managed Devices
CVE-2025-46273

9.3CRITICAL

Key Information:

Vendor: Planet Technology
Status: Uni-nms-lite
Vendor: CVE Published:; 24 April 2025

🔔 Create Planet Technology Vulnerability Alert

What is CVE-2025-46273?

CVE-2025-46273 is a security vulnerability found in the UNI-NMS-Lite network management software developed by Planet Technology. This software is designed for managing and monitoring network devices, ensuring that organizations can efficiently oversee their network operations. The vulnerability stems from the use of hard-coded credentials within the software, which could allow an unauthenticated attacker to gain administrative privileges over all devices managed by UNI-NMS-Lite. This flaw poses a significant security risk, as it undermines the integrity of network management and could lead to unauthorized access and control over critical network infrastructure.

Technical Details

The vulnerability is primarily due to the presence of hard-coded credentials in UNI-NMS-Lite, which essentially provides a backdoor for attackers. These credentials do not require authentication, making it easy for malicious actors to exploit the flaw. With administrative access, an attacker could manipulate network settings, monitor traffic, or even intercept sensitive information. The technical implications highlight significant weaknesses in authentication mechanisms employed by the software.

Potential Impact of CVE-2025-46273

Unauthorized Access to Network Devices: The most immediate impact of CVE-2025-46273 is the potential for attackers to gain full administrative control over network devices managed by UNI-NMS-Lite. This could lead to significant disruptions in network management and operations.
Data Breach Risks: Once attackers have administrative rights, they could access sensitive data flowing through the network, which could be harvested for malicious purposes or leaked to unauthorized parties. This places organizations at risk of severe data breaches.
Network Integrity Compromise: The ability to alter network configurations enables attackers to implement malicious changes that could disrupt service availability, escalate privileges further, or introduce vulnerabilities into the network. This could ultimately jeopardize the overall reliability and security of an organization's IT infrastructure.

Affected Version(s)

UNI-NMS-Lite 0 <= 1.0b211018

References

https://www.cisa.gov/news-events/ics-advisories/icsa-25-1...

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2025
Vulnerability Reserved
Apr 22, 2025

Credit

Kev Breen of Immersive reported these vulnerabilities to CISA.