Multiple critical flaws reported in MICROSENS NMP Web+ Network Management Platform

MICROSENS has patched multiple security vulnerabilities in its NMP Web+ network management platform. Successful exploitation could allow attackers to gain system access, overwrite files, or execute arbitrary code on affected systems.

Vulnerabilities summary

• CVE-2025-49151 (CVSS score 9.3) - Use of Hard-coded, Security-relevant Constants - allows unauthenticated attackers to generate forged JSON Web Tokens (JWT) to bypass authentication mechanisms entirely. The flaw is caused by the use of hard-coded security constants that can be exploited to create valid authentication tokens without legitimate credentials.
• CVE-2025-49153 (CVSS score 9.3) - Improper Limitation of a Pathname to a Restricted Directory - a path traversal vulnerability that allows unauthenticated attackers to overwrite files and execute arbitrary code on affected systems by manipulating file paths to access restricted directories and system resources.
• CVE-2025-49152 (CVSS score 8.7) - Insufficient Session Expiration - JSON Web Tokens do not expire, allowing attackers who obtain access to a token through interception, leakage, or compromise to maintain persistent access to systems indefinitely. Once issued, these tokens remain valid without time limitations, effectively bypassing credential revocation or session management controls.

Combining these flaws enables access (CVE-2025-49151) and persistence (CVE-2025-49153), then escalating and arbitrary code execution (CVE-2025-49152).

The vulnerabilities affect all versions of MICROSENS NMP Web+ Version 3.2.5 and prior installations across Windows and Linux platforms. 

MICROSENS recommends that all users immediately update to NMP Web+ Version 3.3.0 for both Windows and Linux platforms. The updated version addresses all three identified vulnerabilities.

Organizations should minimize network exposure for all control system devices and ensure they are not accessible from the internet.