Microsens NMP Web+ vulnerabilities allow unauthenticated remote control.

CISA alerted that Microsens’s NMP Web+ network management platform in versions 3.2.5 and earlier contains two critical and one high-severity flaw, enabling attackers to forge JSON Web Tokens, bypass authentication, and execute arbitrary code. Researchers demonstrated that chaining the authentication bypass and path-traversal bugs delivers full operating-system access, while a session-expiration issue allows persistent entry. Microsens published version 3.3.0 to patch these defects, and CISA advises organizations to update immediately and limit internet exposure of all NMP Web+ instances.

Read more:

https://www.securityweek.com/critical-microsens-product-flaws-allow-hackers-to-go-from-zero-to-hero/