CVE-2025-59392
📋 TL;DR
This vulnerability allows physical attackers to reset the admin password on Elspec G5 devices by inserting a USB drive with a specific reset string. It affects all Elspec G5 devices running firmware versions through 1.2.2.19. This bypasses authentication controls and gives attackers administrative access.
💻 Affected Systems
- Elspec G5 Multi-Functional Digital Fault Recorder
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full administrative control over the device, potentially disrupting critical power grid monitoring/protection functions or using the device as an initial foothold in industrial control networks.
Likely Case
Unauthorized personnel with physical access reset admin credentials, gaining control over device configuration and potentially altering protection settings or accessing sensitive operational data.
If Mitigated
With proper physical security controls, the risk is limited to authorized personnel who could still misuse this capability.
🎯 Exploit Status
Exploitation requires physical USB access and knowledge of the publicly documented reset string. No technical skills needed beyond creating the USB drive.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.2.2.19
Vendor Advisory: https://www.elspec-ltd.com/support/security-advisories/
Restart Required: Yes
Instructions:
1. Check current firmware version. 2. Download latest firmware from Elspec support portal. 3. Follow vendor's firmware update procedure for G5 devices. 4. Verify successful update and test functionality.
🔧 Temporary Workarounds
Physical USB Port Security
allDisable or physically secure USB ports to prevent unauthorized USB insertion
Enhanced Physical Security
allImplement strict physical access controls to device locations
🧯 If You Can't Patch
- Implement strict physical security controls around all G5 devices including locked enclosures and access monitoring
- Disable USB ports through physical means (USB port blockers, epoxy, etc.) and maintain strict USB device policies
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface or serial console. If version is 1.2.2.19 or earlier, device is vulnerable.Check Version:
Check via web interface at System > About, or via serial console using vendor-specific commandsVerify Fix Applied:
Verify firmware version is greater than 1.2.2.19. Test that USB password reset no longer works by attempting the documented procedure (in controlled environment).📡 Detection & Monitoring
Log Indicators:
- USB device insertion logs
- Admin password reset events
- Authentication failure followed by successful admin login
Network Indicators:
- Unusual configuration changes from device
- New administrative sessions from unexpected locations
SIEM Query:
source="elspec-g5" AND (event_type="usb_insertion" OR event_type="password_reset" OR (auth_result="failure" FOLLOWED BY auth_result="success" WITHIN 5m))