Güralp Systems FMUS Series and MIN Series Devices (Update B)

Act Now9.8ICS-CERT ICSA-25-212-01Jul 31, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Güralp FMUS Series Seismic Monitoring Devices and MIN Series Digitizing Devices lack authentication on Telnet access. An unauthenticated attacker with network access to the Telnet port can modify hardware configurations, manipulate data, or perform factory resets.

What this means

What could happen

An attacker could remotely reset seismic monitoring or digitizing equipment, alter configuration settings, or corrupt recorded data without needing any credentials, disrupting critical monitoring operations and data integrity.

Who's at risk

Water utilities and seismic monitoring networks using Güralp FMUS Series Seismic Monitoring Devices or MIN Series Digitizing Devices (including Fortimus and Certimus variants) for earthquake detection, hydrophone arrays, or other geophysical monitoring are affected. Any facility using these devices on networks accessible from untrusted sources faces risk.

How it could be exploited

An attacker with network access to the device sends a Telnet connection request to the device's Telnet port (typically port 23). The device accepts the connection without requiring login credentials. The attacker then issues commands through the unauthenticated Telnet session to modify configurations, manipulate data, or factory reset the device.

Prerequisites

Network access to the device's Telnet port (port 23 or configured alternative)
Device must have Telnet service enabled and accessible from attacker's network location
No authentication required

Remotely exploitableNo authentication requiredLow complexityNo patch available for most productsHigh CVSS score (9.8)Affects critical monitoring infrastructure

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (2)

1 with fix1 pending

ProductAffected VersionsFix Status

Güralp FMUS Series Seismic Monitoring Devices: vers:all/*All versionsNo fix yet

Güralp MIN Series Digitizing Devices: vers:all/*All versionsv2.1-29897 (experimental)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGRestrict network access to seismic monitoring devices—place them behind firewalls and block inbound Telnet traffic (port 23) from untrusted networks

WORKAROUNDIf remote access is required, deploy a VPN or secure jump host so connections route through encrypted, authenticated channels instead of direct Telnet

WORKAROUNDDisable Telnet service on the device if it is not required for normal operation

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXEvaluate and deploy experimental firmware v2.1-29897 (or later) to add authentication to Telnet access after testing in a controlled environment to ensure operational compatibility

CVEs (1)

CVE-2025-8286

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/58cecfcd-9acd-478a-ac05-bb07f30514f6