Güralp Systems FMUS Series and MIN Series Devices (Update B)

Plan PatchCVSS 9.8ICS-CERT ICSA-25-212-01Jul 31, 2025

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Güralp FMUS Series and MIN Series devices contain an authentication bypass vulnerability in their Telnet interface (CVE-2025-8286). An attacker can remotely connect without credentials and modify hardware configurations, manipulate measurement data, or factory reset the device. FMUS Series devices in all versions are not receiving a patch. MIN Series devices (Minimus-based, including Fortimus and Certimus) receive protection through experimental firmware v2.1-29897, which adds Telnet authentication requirements. Güralp recommends network-level mitigations including firewall restrictions, VPN for remote access, and avoiding direct Internet exposure.

What this means

What could happen

An attacker with network access to a Güralp seismic monitoring device could reset the device to factory settings, modify sensor configurations, or corrupt measurement data without providing any credentials. This could render the device non-functional or cause false readings to be sent to your monitoring systems.

Who's at risk

Seismic monitoring sites and earthquake early warning systems using Güralp FMUS Series devices (all versions affected, no patch available) and Güralp MIN Series digitizing devices (patch available for v2.1-29897). This affects organizations operating real-time seismic monitoring networks, research institutions, and utilities relying on seismic data for safety and warning systems.

How it could be exploited

An attacker on the same network segment (or with network access to the device's Telnet port 23) can connect to the unprotected Telnet interface and execute commands to modify hardware configuration, manipulate data, or perform a factory reset without supplying any username or password.

Prerequisites

Network access to Telnet port 23 on the affected device
Device is reachable from the attacker's network segment or the Internet if not firewalled

Remotely exploitableNo authentication requiredLow complexity attackFMUS devices have no fix availableAffects seismic monitoring and safety systems

Exploitability

Unlikely to be exploited — EPSS score 0.6%

Affected products (2)

1 with fix1 pending

ProductAffected VersionsFix Status

Güralp FMUS Series Seismic Monitoring Devices: vers:all/*All versionsNo fix yet

Güralp MIN Series Digitizing Devices: vers:all/*All versionsv2.1-29897 (experimental)

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDBlock inbound Telnet access (port 23) at the firewall unless specifically required for legitimate management

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate MIN Series devices to firmware v2.1-29897 or later to enable Telnet authentication

Long-term hardening

0/3

HARDENINGImplement network segmentation to isolate seismic monitoring devices on a dedicated VLAN or management network separate from general IT networks

HARDENINGIf remote access to devices is required, use a VPN gateway or secure jump host instead of exposing devices directly to the network

HARDENINGEnsure all Güralp devices are behind firewall rules that restrict access to only authorized management workstations by IP address

CVEs (1)

CVE-2025-8286

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/58cecfcd-9acd-478a-ac05-bb07f30514f6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.