New Rock Technologies Cloud Connected Devices

Plan PatchCVSS 9.8ICS-CERT ICSA-25-030-02Jan 30, 2025

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

New Rock Technologies OM500 IP-PBX, MX8G VoIP Gateway, and NRP1302/P Desktop IP Phone devices contain command injection and improper input validation vulnerabilities (CWE-78, CWE-155) affecting all versions. Successful exploitation allows an attacker to gain full device control. The vendor has not responded to CISA's remediation efforts and has not provided patches or fixes. No public exploitation has been reported to date.

What this means

What could happen

An attacker with network access could gain full control of affected New Rock Technologies IP-PBX, VoIP gateway, or IP phone devices, enabling them to intercept calls, inject fraudulent traffic, or disrupt voice communications throughout your organization.

Who's at risk

Organizations operating New Rock Technologies OM500 IP-PBX systems, MX8G VoIP gateways, or NRP1302/P desktop IP phones should treat this as urgent. This affects voice communications infrastructure in enterprises, municipal agencies, and service providers that rely on these systems for internal telephony and external call handling.

How it could be exploited

An attacker on the network (or via the internet if the device is exposed) sends a malicious input to the device that exploits command injection or improper input validation, allowing them to execute arbitrary commands with the privileges of the device service.

Prerequisites

Network access to the device (Layer 3 or higher)
Device exposed to untrusted network or reachable from the internet
No authentication required to send the malicious payload

remotely exploitableno authentication requiredlow complexityno patch availablevendor unresponsive

Exploitability

Unlikely to be exploited — EPSS score 0.8%

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

OM500 IP-PBX: vers:all/*All versionsNo fix (EOL)

MX8G VoIP Gateway: vers:all/*All versionsNo fix (EOL)

NRP1302/P Desktop IP Phone: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDRestrict network access to New Rock Technologies devices by firewall rules—only allow traffic from authorized endpoints and management workstations on necessary ports (typically SIP port 5060/5061 for VoIP)

HARDENINGIsolate New Rock Technologies devices on a dedicated, air-gapped voice network segment separate from general IT networks and untrusted networks

WORKAROUNDDisable remote access to these devices from the internet; if remote management is required, use a VPN with multi-factor authentication and restrict to specific IP addresses

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact New Rock Technologies customer support to inquire about firmware updates, patches, or end-of-life guidance for your specific device models

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: OM500 IP-PBX: vers:all/*, MX8G VoIP Gateway: vers:all/*, NRP1302/P Desktop IP Phone: vers:all/*. Apply the following compensating controls:

HARDENINGMonitor network traffic to and from New Rock Technologies devices for suspicious activity using network intrusion detection systems

CVEs (2)

CVE-2025-0680 CVE-2025-0681

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/60131291-3d77-4447-9de5-0b1ff55a2f3f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.