The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a critical advisory warning of multiple severe vulnerabilities in the General Industrial Controls Lynx+ Gateway, an industrial control system used in essential manufacturing sectors worldwide.
Issued on November 13, 2025, under alert code ICSA-25-317-08, the flaws allow remote attackers to gain unauthorized access, reset devices, expose sensitive information, and cause denial-of-service conditions with low complexity.
These issues affect versions R08, V03, V05, and V18 of the Lynx+ Gateway, which serves as a gateway for managing and monitoring industrial operations.
Discovered by researcher Abhishek Pandey from Payatu Security Consulting Pvt. Ltd., the vulnerabilities stem from poor security practices in the device’s embedded web server and network communications.
No public exploitation has been reported yet, but the high CVSS v4 score of 9.2 underscores the urgent need for mitigation.
Technical Details
The Lynx+ Gateway vulnerabilities include four distinct flaws, each enabling different attack vectors that could compromise industrial networks.
First, CVE-2025-55034 involves weak password requirements under CWE-521, allowing brute-force attacks to obtain unauthorized login privileges.
This has a CVSS v3 score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A: N) and a v4 score of 8.8 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA: N), emphasizing high confidentiality impact from network-based exploits.
Second and third, missing authentication for critical functions (CWE-306) appears in CVE-2025-58083 and CVE-2025-59780.
CVE-2025-58083 lets attackers remotely reset the device via the web server, scoring CVSS v3 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A: H) and v4 9.2 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA: H), potentially disrupting operations entirely.
CVE-2025-59780 allows unauthenticated GET requests to fetch sensitive device data, with CVSS v3 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A: N) and v4 8.7 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA: N).
Finally, CVE-2025-62765 enables the transmission of sensitive information in cleartext (CWE-319), allowing attackers to intercept network traffic and capture plaintext credentials.
It scores CVSS v3 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A: N) and v4 8.7 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA: N), posing a direct risk to confidentiality in unencrypted communications. The table below summarizes these CVEs:
| CVE ID | Vulnerability Type | CWE | CVSS v3 Score | CVSS v4 Score | Key Impact |
| CVE-2025-55034 | Weak Password Requirements | 521 | 8.2 | 8.8 | Brute-force unauthorized access |
| CVE-2025-58083 | Missing Authentication (Device Reset) | 306 | 10.0 | 9.2 | Remote device reset |
| CVE-2025-59780 | Missing Authentication (Info Disclosure) | 306 | 7.5 | 8.7 | Sensitive data exposure |
| CVE-2025-62765 | Cleartext Transmission | 319 | 7.5 | 8.7 | Plaintext credential interception |
General Industrial Controls, headquartered in India, did not respond to CISA’s coordination efforts, leaving users without official patches.
This lack of vendor support heightens risks for deployments in critical infrastructure.
Mitigation Recommendations
CISA urges organizations to contact General Industrial Controls for support and implement immediate defensive steps.
Key measures include minimizing internet exposure of control systems, placing devices behind firewalls, and isolating operational technology from business networks.
For remote access, use updated VPNs, but thoroughly assess their security.
Conduct risk assessments before changes, and monitor for malicious activity, reporting incidents to CISA.
Additional resources, such as CISA’s ICS recommended practices and defense-in-depth strategies, offer further guidance for securing industrial environments.
With no known exploits, proactive segmentation can prevent potential attacks on manufacturing operations.
 has released a critical advisory warning of multiple severe vulnerabilities){kind=link}