Attention all users of New Rock Technologies equipment! If you’re utilizing one of their cloud-connected devices, this is your red alert to step up your cybersecurity game. The Cybersecurity and Infrastructure Security Agency (CISA) has published a damning advisory outlining seriously exploitable vulnerabilities in multiple New Rock Technologies products. These vulnerabilities could offer attackers a one-way ticket to your devices, granting them full control. Let’s dissect the details.
More disturbingly, New Rock Technologies hasn’t even responded to requests from CISA for collaboration to secure these vulnerabilities. When the manufacturer is this quiet, users need to become their own line of defense.
If you’re on the frontlines of defending your business or household network, take CISA’s advice seriously. Ignore these flaws at your peril because cyber adversaries certainly won’t. Whether it’s limiting your attack surface or patching vulnerabilities when updates are (hopefully) released, staying a step ahead could protect your data, reputation, and business continuity.
So, is your tech stack still feeling “rock solid”? Probably not—better start hardening now!
Source: CISA https://www.cisa.gov/news-events/ics-advisories/icsa-25-030-02
The Highlights at Glance
- Targeted Equipment:
- Severity:
- One vulnerability scored 9.3 on the CVSS v4 scale—a critical-level rating. This is not just bad; it’s a complete head-on cyber-disaster waiting to happen.
- A second vulnerability falls into the “high” to “medium-high” range, scoring 6.9 on CVSS v4.
- Exploitation Complexity:
Diving Deeper into the Vulnerabilities
1. OS Command Injection (CVE-2025-0680)
Let’s just say it out loud—command injection vulnerabilities allow hackers to hijack devices and command them to do just about anything. Here's what’s happening with New Rock's gear:- Vulnerable devices process “cloud RPC commands” with far too little security to neutralize malicious elements injected into those commands.
- If exploited, threat actors can completely take over any affected device. This shakes the very foundation of secure device operation. It’s like handing someone the keys to your house and telling them, "Make yourself at home."
Severity:
- CVSS v4 Base Score: 9.3
- Potential Impact: Complete breach of Confidentiality, Integrity, and Availability—aka, the trifecta of devastation.
2. MQTT Service Wildcard Exploitation (CVE-2025-0681)
Things don’t get much better with the second flaw. New Rock gear has a weakness in its use of MQTT (a messaging protocol often used for IoT devices):- Devices allow so-called "wildcard" subscriptions—these are dangerously over-permissive and improperly secured.
- Exploitation could permit malicious actors to eavesdrop on sensitive communications flowing through the devices. Think of this as unauthorized wiretapping on steroids.
Severity:
- CVSS v4 Base Score: 6.9
- The danger here is data leakage, particularly where sensitive or private communications exist across affected systems.
Industries on Watch: Who’s At Risk?
Guess what? This isn’t just a problem for home offices and small businesses. These devices are deployed worldwide in two critical infrastructure sectors:- Healthcare: Imagine someone hacking communication networks at a hospital.
- Communications and Telecom: This impacts ISPs, VoIP providers, and even call centers.
Why This Matters Globally
Adding fuel to the fire, New Rock Technologies is headquartered in China, which might raise concerns about supply-chain risks and state-sponsored exploitation. This level of vulnerability also makes an enticing target for ransomware groups, cyber espionage campaigns, or even chaos-wreaking amateurs looking to test their skill.More disturbingly, New Rock Technologies hasn’t even responded to requests from CISA for collaboration to secure these vulnerabilities. When the manufacturer is this quiet, users need to become their own line of defense.
Mitigation: What Should You Do NOW?
Let’s be crystal clear—these vulnerabilities are actively exploitable, and it’s on users to implement damage control. Here’s what CISA recommends to stay in the game:1. Harden Your Network
- Limit exposure: Ensure all affected New Rock devices and control systems aren’t exposed to the open internet.
- Isolate: Place them behind secure, preferably hardware-based, firewall rules. Even better, separating them from the broader business network.
- Monitor: Keep an eye on unusual or unexpected activity.
2. Secure Remote Access
If your setup requires remote device access:- Rely on Virtual Private Networks (VPNs) for secure connectivity.
- Also, ensure any third-party software like VPN tools is up-to-date because attackers adore outdated dependencies.
3. Fall Back on Best Practices
From encryption protocols to limiting wildcard subscriptions, prioritizing least privileged configurations is essential. Resources like CISA’s Defense-in-Depth guide for Industrial Control Systems (ICS) offer powerful step-by-step strategies. CISA even has tech guidance papers like ICS-TIP-12-146-01B for detection of targeted intrusions. Get reading, folks.The Uncomfortable Reality
While there are currently no public exploits reported in the wild, that doesn’t mean these vulnerabilities are flying under the radar of malicious actors. Every day that New Rock Technologies ignores this, the cybersecurity clock ticks louder as exploit developers potentially sharpen their tools.What’s Next?
- Organizations must take proactive steps NOW before these riskiest-of-risks spiral out of control.
- Stay vigilant. If you’re unlucky enough to be running one of these devices, immediate action is non-negotiable.
- For those connected to critical infrastructure systems: follow the reporting procedures in case of even a sniff of malware or exploit patterns. In many cases, calling CISA and documenting your findings can mean the difference between containment and a full-scale operational meltdown.
Final Thoughts
Wouldn’t it be nice if manufacturers like New Rock proactively worked with global cybersecurity bodies? Yes. Should you place your bets on them eventually doing so? No.If you’re on the frontlines of defending your business or household network, take CISA’s advice seriously. Ignore these flaws at your peril because cyber adversaries certainly won’t. Whether it’s limiting your attack surface or patching vulnerabilities when updates are (hopefully) released, staying a step ahead could protect your data, reputation, and business continuity.
So, is your tech stack still feeling “rock solid”? Probably not—better start hardening now!
Source: CISA https://www.cisa.gov/news-events/ics-advisories/icsa-25-030-02