CISA reports critical authentication vulnerability in AutomationDirect MB-Gateway devices
Take action: If you are running AutomationDirect MB-Gateway, this is terrible news. Your devices are critically vulnerable and have no way to implement controls on them. And they won't be fixed. Make sure all these devices are isolated in a separate network (idealy physically disconnected from any other network). Then plan to replace them.
Learn More
AutomationDirect and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) are reporting a critical security vulnerability affecting all versions of the AutomationDirect MB-Gateway device.
The vulnerability is tracked as CVE-2025-36535 (CVSS score 10.0) - a "Missing Authentication For Critical Function". Thr flaw stems from the embedded webserver in MB-Gateway devices, which lacks authentication and access controls, allowing unrestricted remote access.It could enable attackers to make unauthorized configuration changes, disrupt operational systems and run arbitrary code.
Due to hardware limitations, AutomationDirect states that the MB-Gateway cannot be updated to implement proper access controls. They recommend to replace the MB-Gateway with EKI-1221-CE.
If immediate replacement is not feasible, AutomationDirect and CISA recommend implementing the following interim security measures:
- Restrict network exposure: Ensure devices are not accessible from the Internet or untrusted networks by placing them behind firewalls
- Use dedicated networks: Implement secure internal networks or air-gapped systems for communication with programmable devices
- Control access: Restrict physical and logical access to authorized personnel only
- Implement whitelisting: Allow only pre-approved and trusted applications to access the device
- Monitor and log activity: Enable logging to detect potential anomalies or unauthorized actions
- Use secure backup and recovery: Regularly back up configurations to minimize downtime in case of compromise
- Plan for device replacement: Begin evaluating and migrating to supported hardware with active vendor support
CISA also recommends using secure remote access methods such as Virtual Private Networks (VPNs) when remote access is required, while noting that VPNs themselves may have vulnerabilities and should be kept updated.
CISA notes that no known public exploitation specifically targeting this vulnerability has been reported at this time. However, given the critical nature of the vulnerability and its potential impact on industrial control systems, affected organizations should prioritize mitigation efforts.
