CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-9962

CVSS 10.0v4.0pub. 2025-09-23upd. 2026-04-15

A buffer overflow vulnerability in Novakon P series allows attackers to gain root permission without prior authentication.This issue affects P series: P – V2001.A.C518o2 until P-2.0.05 Build 2026.02.06 (commit d0f97fd9).

🤖 AI Analysis
How it works

The CWE-120 class error (classic buffer overflow) consists of the lack of proper validation of data size being entered into a memory buffer. A network attacker can supply crafted data exceeding the buffer capacity, which leads to overwriting adjacent memory areas and taking control of program execution flow. The vulnerability is accessible without authentication (PR:N, UI:N), making it particularly dangerous for devices exposed to the network.

Impact

An attacker can obtain root privileges on the HMI device without prior authentication, meaning complete takeover of the device — including the ability to modify configuration, disrupt industrial processes, and perform further lateral movement in the OT/ICS network.

Mitigation & patch

Firmware should be updated to version P-2.0.05 Build 2026.02.06 (commit d0f97fd9) or newer, in accordance with the official Security Advisory from Novakon manufacturer available at the address indicated in the references. Until the update is applied, it is recommended to isolate HMI devices from public networks and restrict network access only to trusted hosts using a firewall.

Who is affected

Novakon P Series HMI — firmware versions from P – V2001.A.C518o2 to P-2.0.05 Build 2026.02.06 (commit d0f97fd9), with exclusion.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Memory
CWE
References