CVE-2025-62772 in M6a
Summary
by MITRE • 10/22/2025
On Mercku M6a devices through 2.1.0, session tokens remain valid for at least months in some cases.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/24/2025
The vulnerability identified as CVE-2025-62772 affects Mercku M6a devices running firmware versions up to 2.1.0, presenting a significant session management flaw that compromises system security through prolonged token validity periods. This issue falls under the broader category of weak session management as classified by CWE-613, where session tokens maintain their validity for extended periods, potentially lasting months in certain scenarios. The affected devices operate within industrial or IoT environments where security is paramount, making this vulnerability particularly concerning for organizations relying on these systems for critical operations.
The technical flaw manifests in the session token expiration mechanism where authentication tokens do not properly enforce time-based constraints for session validity. This weakness allows attackers who gain access to valid session tokens to maintain persistent access to the device for extended periods without requiring re-authentication. The prolonged validity periods create opportunities for credential theft exploitation, where stolen tokens can be used indefinitely until manually revoked or the system is restarted. This behavior violates fundamental security principles of least privilege and time-based access control, as outlined in the NIST Cybersecurity Framework and ISO/IEC 27001 standards for access management.
The operational impact of this vulnerability extends beyond simple unauthorized access, potentially enabling attackers to perform lateral movement within networks, conduct persistent surveillance, or execute malicious operations without detection. In industrial control systems or IoT environments, prolonged session validity can lead to extended periods of unauthorized system manipulation, data exfiltration, or service disruption. The vulnerability is particularly dangerous when combined with other security weaknesses, as it provides attackers with sustained access windows that can be leveraged for more sophisticated attacks. According to MITRE ATT&CK framework, this weakness maps to T1566 (Phishing for Information) and T1078 (Valid Accounts) where attackers can exploit persistent access to maintain their presence within target environments.
Organizations should implement immediate mitigations including enforcing strict session timeout policies, implementing automatic token rotation mechanisms, and establishing monitoring protocols for unusual session activity patterns. Device administrators should consider implementing additional authentication layers such as multi-factor authentication to reduce the impact of token compromise. Firmware updates from Mercku should be prioritized to address this vulnerability, while security teams should conduct comprehensive audits of session management configurations across all affected devices. The vulnerability demonstrates the importance of proper session lifecycle management as specified in OWASP Top Ten security controls and highlights the need for continuous security assessment of IoT and industrial devices to prevent long-term unauthorized access scenarios.