The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory warning users of multiple high-impact vulnerabilities discovered in MICROSENS NMP Web+, a widely used network management platform. The advisory, based on research by Claroty Team82 and coordinated with the German BSI CERT-Bund, reveals three serious flaws that could allow unauthenticated attackers to bypass authentication, overwrite system files, or execute arbitrary code.
Three CVEs have been assigned to the issues affecting NMP Web+ Version 3.2.5 and earlier:
- CVE-2025-49151 – Hardcoded JWT Secret (CVSS 9.1 Critical): “The affected products could allow an unauthenticated attacker to generate forged JSON Web Tokens (JWT) to bypass authentication,” the advisory explains. This critical vulnerability stems from the use of hard-coded, security-relevant constants in the authentication mechanism, allowing attackers to forge JWTs and access the system without valid credentials.
- CVE-2025-49152 – Persistent Session Tokens (CVSS 7.5 High): “The affected products contain JSON Web Tokens (JWT) that do not expire, which could allow an attacker to gain access to the system,” the advisory warns. Once issued, the tokens remain valid indefinitely, giving adversaries persistent access if they manage to intercept or generate a valid token.
- CVE-2025-49153 – Path Traversal to Arbitrary Code Execution (CVSS 9.8 Critical): “The affected products could allow an unauthenticated attacker to overwrite files and execute arbitrary code,” the advisory notes. This is the most severe of the three vulnerabilities, potentially allowing remote code execution without any authentication—providing full control over the system.
The vulnerabilities affect:
- NMP Web+ Versions 3.2.5 and earlier on both Windows and Linux platforms.
The vendor, MICROSENS, has released NMP Web+ Version 3.3.0, which addresses all three issues. CISA advises users to upgrade immediately.
