Dover Fueling Solutions ProGauge MagLink LX 4 Devices Use of Hard-coded Cryptographic Key
Summary
| CVE | CVE-2025-54807 |
|---|---|
| State | PUBLISHED |
| Assigner | icscert |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2025-09-18 21:15:48 UTC |
| Updated | 2026-04-15 00:35:42 UTC |
| Description | The secret used for validating authentication tokens is hardcoded in device firmware for affected versions. An attacker who obtains the signing key can bypass authentication, gaining complete access to the system. |
Risk And Classification
Primary CVSS: v4.0 9.3 CRITICAL from [email protected]
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.000940000 probability, percentile 0.261770000 (date 2026-06-04)
Problem Types: CWE-321 | CWE-321 CWE-321
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 9.3 | CRITICAL | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 9.3 | CRITICAL | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| 3.1 | [email protected] | Secondary | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | CVSS | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Dover Fueling Solutions | ProGauge MagLink LX 4 | affected 4.20.3 custom | Not specified |
| CNA | Dover Fueling Solutions | ProGauge MagLink LX Plus | affected 4.20.3 custom | Not specified |
| CNA | Dover Fueling Solutions | ProGauge MagLink LX Ultimate | affected 5.20.3 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.cisa.gov/news-events/ics-advisories/icsa-25-261-07 | [email protected] | www.cisa.gov | |
| www.doverfuelingsolutions.com/mea/en/products-and-solutions/automatic-tank-gauging/consoles... | [email protected] | www.doverfuelingsolutions.com | |
| github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-26... | https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-261-07.json | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Pedro Umbelino of Bitsight TRACE reported these vulnerabilities to CISA. (en)
Additional Advisory Data
Solutions
CNA: Dover Fueling Solutions recommends users update their ProGauge MagLink devices to Version 4.20.3 or later for MagLink LX 4 and MagLink LX Plus models. The upgrade can be downloaded from the Dover Fueling Solutions website https://www.doverfuelingsolutions.com/mea/en/products-and-solutions/automatic-tank-gauging/consoles/progauge-maglink-lx-4-console.html .For MagLink LX Ultimate devices, Dover Fueling Solutions recommends users update to version 5.20.3 https://www.doverfuelingsolutions.com/mea/en/products-and-solutions/automatic-tank-gauging/consoles/progauge-maglink-lx-ultimate-console.html or later. Dover Fueling Solutions recommends all users install the software behind a firewall to minimize risk of remote attacks.