WeOS 5 ESP Vulnerability CVE-2025-46419 - Patch to 5.24.0

Westermo’s industrial networking OS, WeOS 5, contains a remote-denial vulnerability that can trigger an immediate reboot when the device is configured for IPsec and sent a carefully crafted Encapsulating Security Payload (ESP) packet — an issue tracked as CVE‑2025‑46419 and documented by both the vendor and U.S. federal authorities. (cisa.gov)

Overview​

Industrial network gear is a frequent vector for operational disruption because appliances such as managed switches and routers often live at the heart of critical infrastructure networks. The newly publicized WeOS 5 defect is an input‑validation flaw in the ESP packet handler that can be caused by a malformed IPsec packet; on affected versions it results in a device reboot and therefore a denial‑of‑service (DoS) condition for network connectivity and dependent control systems. (cisa.gov)
Key facts at a glance:

• Vulnerability: Improper validation of syntactic correctness of input (CWE‑1286) affecting ESP packet parsing. (nvd.nist.gov)
• CVE identifier: CVE‑2025‑46419. (nvd.nist.gov)
• Affected versions: WeOS 5 — versions 5.23.0 and prior. (cisa.gov)
• Vendor fix: WeOS 5.24.0 addresses the issue; vendors recommend upgrading. (westermo.com)
• Severity: CVSS v3.1 base score 5.9 (Medium) and CVSS v4 base score 8.2 (High), reflecting differing scoring methodologies and the availability of a CVSS v4 evaluation. (cisa.gov)

---

Background: why this matters for industrial networks​

Industrial switches and routers running WeOS are commonly deployed in sectors where uptime and predictable networking are essential — energy, water, manufacturing, transportation, and commercial facilities. Because these environments often include tightly coupled control systems and real‑time processes, a seemingly simple reboot can cause cascading operational problems: loss of telemetry, interruption of control loops, fail‑over churn, and manual recovery procedures that require on‑site intervention. CISA’s advisory explicitly lists several critical infrastructure sectors as being in scope for impact. (cisa.gov)
ESP (Encapsulating Security Payload) is a core component of IPsec. It’s used to encrypt and protect traffic in VPN/IPsec tunnels. A vulnerability in ESP packet handling therefore has two particularly important operational implications:

• The attack surface can include any IPsec‑enabled interface reachable to an attacker (including adjacent or routed networks). (nvd.nist.gov)
• Attacking IPsec processing in a forwarding device can be low-cost for an attacker who can inject or relay traffic into the device’s network path. The impact is concentrated on availability (reboot/DoS), not confidentiality or integrity, according to public scoring. (cisa.gov)

---

Technical breakdown​

1. Root cause​

The weakness is classified under CWE‑1286 — Improper Validation of Syntactic Correctness of Input. In plain terms, the WeOS 5 ESP packet parser expects well‑formed ESP messages but fails to correctly validate certain syntactic conditions; a crafted malformed packet causes an internal error that leads to an immediate device reboot. This is a classic input‑parsing failure common in protocol stacks. (nvd.nist.gov)

2. Exploit characteristics​

• Vector: network (attacker sends a malicious ESP packet to an IPsec‑configured interface). (cisa.gov)
• Authentication: none required — the attacker only needs network reachability to the device’s IPsec interface or the ability to inject ESP packets on path. (cvedetails.com)
• Impact: forced reboot (availability loss) causing service disruption and requiring manual or automated recovery depending on the environment. (cisa.gov)

3. Attack complexity and scoring nuance​

Public records show a CVSS v3.1 score of 5.9 (Medium) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H and a CVSS v4 score of 8.2 (High) under a v4 vector reflecting availability‑focused impact. The difference arises because CVSS v4 incorporates actor and victim attributes differently, and in this case it weights the high availability impact more heavily. Both scores are published in the advisory ecosystem and should be considered when prioritizing mitigations. (cvedetails.com)

---

Affected products and vendor response​

Westermo’s published security advisory list and product pages identify WeOS 5 versions 5.23.0 and earlier as affected and state the issue is fixed in WeOS 5.24.0 (firmware release date shown on vendor product pages: 2025‑03‑27 for WeOS v5.24.0). Customers are advised to obtain the 5.24.0 firmware from Westermo’s support/download channels and to follow their upgrade guidance. (westermo.com)
CISA has republished Westermo’s advisory as an ICS advisory (ICSA‑25‑261‑02), summarizing the risk, confirming the CVE assignment, and recommending that operators upgrade or implement compensating controls such as network segmentation and reduced exposure of control system devices to untrusted networks. CISA also notes the vulnerability was reported by Westermo to CISA and that there were no known reports of public exploitation at the time of publication. (cisa.gov)

---

Mitigation and remediation guidance (practical playbook)​

Operators should treat this vulnerability as actionable and prioritize remediation according to exposure, criticality, and operational constraints. Below is a prioritized list of steps — start at the top and work down based on your environment.

• Immediate (0–24 hours)
• Identify all Westermo WeOS 5 devices (inventory by firmware string); note which are configured for IPsec. (cisa.gov)
• If a device is reachable from untrusted networks (Internet or corporate networks that are not strictly trusted), restrict access immediately: block IPsec/ESP traffic at perimeter firewalls or ACLs until a patch can be applied. (cisa.gov)
• If feasible, disable IPsec on devices that do not strictly require it until patched; otherwise, restrict the remote endpoints allowed to establish IPsec sessions to known, hardened peers. (cisa.gov)
• Short term (24–72 hours)
• Schedule maintenance windows for upgrades and test the patch on representative devices in staging.
• Apply WeOS 5.24.0 to affected devices (Westermo reports the vulnerability removed in this release). (westermo.com)
• Where patching is delayed by operational constraints, implement compensating controls:
• Tighten firewall rules to drop unexpected ESP packets destined to WeOS devices.
• Use network segmentation and jump hosts for management access.
• Apply monitoring for device reboots, unexpected state changes, and anomalous IPsec/ESP traffic patterns. (cisa.gov)
• Medium term (weeks)
• Validate configuration baselines and hardening guides for WeOS devices (disable unused services, enforce strong authentication for management, enable logging with secure log collection). (westermo.com)
• Expand detection capability: implement IDS/IPS signatures for anomalous ESP frames and add device‑level telemetry to SIEM dashboards.
• Train on incident recovery: ensure on‑site staff can safely power‑cycle and handle manual recovery when required.
• Long term (policy/process)
• Enforce vendor patch policies, maintain an inventory with firmware levels for all network infrastructure, and include WeOS devices in change management and vulnerability scanning schedules.
• Use network micro‑segmentation and zero‑trust principles where feasible for OT environments to reduce the blast radius of device compromises. (cisa.gov)

---

Detection and monitoring tips​

• Monitor management and system logs for unexpected reboots and IPsec session failures; establish alerting with a low threshold for consecutive reboots. (cisa.gov)
• Use packet captures in controlled environments to observe unusual ESP traffic; malformed or non‑standard ESP packets may indicate exploitation attempts. Exercise caution: capturing and inspecting encrypted ESP payloads has privacy and operational considerations.
• Employ network sensors that can flag malformed protocol frames or repeated malformed ESP packet flows targeted at WeOS devices; correlate with device uptime alerts to detect a possible exploitation attempt in progress. (cisa.gov)

---

Why rapid patching is recommended (risk calculus)​

• Operational impact: Reboots in field devices can require physical presence to recover, cause automation failures, and potentially force manual, slow, and error‑prone fallbacks. The availability impact is immediate and tangible. (cisa.gov)
• Attack feasibility: Although some public scoring indicates high attack complexity for this specific issue (depending on network positioning), attackers frequently exploit easier routes (misconfigurations, pivoting via compromised VPN endpoints, or adjacent network access). Minimizing exposure is therefore prudent. (cvedetails.com)
• Patch availability: Westermo has released WeOS 5.24.0 containing the fix, so there is a straightforward remediation path rather than only mitigations. That lowers the operational barrier to remediation for administrators who can schedule firmware updates in their maintenance windows. (westermo.com)

---

Independent corroboration and scoring nuance​

Multiple independent vulnerability databases and tracking services have recorded CVE‑2025‑46419 and echo the essential details: malformed ESP packet leads to reboot on WeOS 5 ≤ 5.23.0, and WeOS 5.24.0 contains the fix. Examples include NVD, CVE aggregation sites, and commercial trackers such as Tenable and CVEDetails; these sources confirm the CVE description and scoring differences between CVSS versions. Use these independent records to feed enterprise vulnerability management tools and ticketing systems for prioritized remediation. (nvd.nist.gov)
Cautionary note: a CVSS v3.1 score of 5.9 versus a CVSS v4 score of 8.2 demonstrates how scoring frameworks can produce materially different prioritization signals. For OT networks — where availability and physical recovery costs dominate — the higher CVSS v4 assessment can be a more relevant prioritization signal. Treat both scores as inputs, not absolutes, when planning remediations. (cisa.gov)

---

Known exploitation and threat landscape​

At the time the advisory was republished and aggregated across the public ecosystem, CISA reported no known public exploitation specifically targeting this vulnerability. That is an important but time‑sensitive datapoint: absence of observed exploitation should not be equated with absence of risk. Historical patterns show that once a public CVE and patch are available, exploitation attempts frequently follow. Operators should assume adversaries will attempt to weaponize any remotely reachable protocol parsing bug. Continuous monitoring and rapid patching are the prudent response. (cisa.gov)

---

Practical checklist for Windows‑centric operations teams integrating with OT​

Many Windows teams support or interact with operational infrastructure (NMS, SIEM, patch servers, remote support). The following checklist reflects the intersection of standard IT practice with the specifics of this WeOS advisory:

• Ensure accessible firmware builds (WeOS 5.24.0) are downloaded from vendor sites and staged on hardened Windows update hosts or patch servers with integrity checks. (westermo.com)
• Confirm all IPsec tunnels terminate only on authorized, patched endpoints; block unnecessary IPsec traffic at enterprise firewalls. (cisa.gov)
• Update inventory (CMDB) entries in Windows‑based asset management systems with firmware level and IPsec configuration flags for each WeOS device.
• Push alerts from network management tools into your Windows‑based SOC/SIEM and configure playbooks for automatic ticket creation when device reboots are detected. (cisa.gov)

---

Risks and limitations of mitigations​

• Blocking ESP traffic at the firewall may be operationally disruptive if legitimate IPsec tunnels are used for remote access or vendor connectivity. Any ACL changes should be tested in maintenance windows and coordinated with operational stakeholders. (cisa.gov)
• Disabling IPsec is only a temporary mitigation and may not be acceptable where encrypted links are required by policy or regulation. Patching is the only long‑term fix. (westermo.com)
• Some monitoring and IDS systems may not reliably decode ESP packets for signature matching because of encryption; behavioral baselines (reboot patterns, session anomalies) are more effective for detection in many cases. (cisa.gov)

---

Final assessment and recommendations​

This is a meaningful vulnerability for operators that run Westermo WeOS 5 devices with IPsec enabled. The combination of a protocol parsing bug in a widely deployed industrial OS and the availability of an official patch makes this a high‑priority operational patch cycle for affected organizations. Immediate action steps are straightforward: inventory, restrict exposure, schedule upgrades to WeOS 5.24.0, and implement compensating controls where immediate patching is not possible. (cisa.gov)
For risk‑averse organizations, treat the CVSS v4 assessment and CISA’s advisory as the primary drivers for urgency: availability loss in OT is expensive and sometimes unsafe. Prioritize devices that are IPsec‑enabled and reachable from untrusted networks, plan upgrades with testing, and monitor for reboot indicators and anomalous ESP flows during and after remediation. (cisa.gov)

---

Westermo and federal advisories are publicly available and should be consulted for vendor‑specific upgrade procedures and any subsequent updates. Operators are advised to verify firmware versions against vendor download pages and to follow formal change management and testing before applying production firmware updates. (westermo.com)
Conclusion: this vulnerability is fixable but impactful — act quickly, coordinate across IT/OT teams, and use the vendor patch (WeOS 5.24.0) as the definitive remediation while applying layered compensating controls to reduce exposure in the meantime. (cisa.gov)

---

Source: CISA Westermo Network Technologies WeOS 5 | CISA