New Rock Technologies Cloud Connected Devices

Act Now9.8ICS-CERT ICSA-25-030-02Jan 30, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

New Rock Technologies OM500 IP-PBX, MX8G VoIP Gateway, and NRP1302/P Desktop IP Phone devices contain command injection and improper input validation flaws (CWE-78, CWE-155) that allow unauthenticated remote attackers to execute arbitrary commands with full system privileges. Successful exploitation grants complete device control, potentially compromising voice communications, call routing, and availability. All versions of these products are affected. The vendor has not responded to CISA requests for a security update and has not announced a patch.

What this means

What could happen

An attacker who reaches these devices could gain full control and potentially intercept voice communications, alter call routing, or disable phone system operations. This could block critical notifications and emergency communications in your facility.

Who's at risk

Water utilities and electrical cooperatives using New Rock Technologies VoIP phone systems (OM500 IP-PBX units, MX8G VoIP gateways, or NRP1302/P phones) for operational communications should take immediate action. Operators who depend on these devices for emergency notifications, inter-facility coordination, or SCADA system alerts are at risk.

How it could be exploited

An attacker with network access to the device (via internet exposure, compromised internal network, or default routing) can exploit command injection or improper input validation flaws to execute arbitrary commands with full system privileges, gaining complete device control.

Prerequisites

Network reachability to the affected device (IP-PBX or VoIP gateway) from the internet or compromised internal network
No authentication required

remotely exploitableno authentication requiredlow complexityno patch availableaffects communication systems critical to facility operations

Exploitability

Moderate exploit probability (EPSS 1.0%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

OM500 IP-PBX: vers:all/*All versionsNo fix (EOL)

MX8G VoIP Gateway: vers:all/*All versionsNo fix (EOL)

NRP1302/P Desktop IP Phone: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGImplement network segmentation: isolate VoIP and IP-PBX devices on a separate VLAN from business and control networks, restricting inbound traffic to only authorized endpoints

HARDENINGBlock internet access to affected IP-PBX and VoIP gateway devices using firewall rules; restrict management access to authorized engineering workstations only

WORKAROUNDIf remote access is required, implement VPN access with multi-factor authentication and maintain current VPN software versions

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGVerify the current firmware versions of all OM500 IP-PBX, MX8G VoIP Gateway, and NRP1302/P Desktop IP Phone devices in your network

HARDENINGContact New Rock Technologies customer support to request security updates or product recommendations for future procurement

CVEs (2)

CVE-2025-0680 CVE-2025-0681

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/60131291-3d77-4447-9de5-0b1ff55a2f3f