CVE-2025-36729 HIGH

CVE-2025-36729: RACOM M!DGE2 Privilege Escalation via SDK Testing Endpoint

Vendor Racom
Product M!DGE2
Weakness CWE-269
Published August 26, 2025
Last update September 5, 2025

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A non-primary administrator user with admin rights to the web interface but without shell access permissions can display configuration of the device including the master admin password. This vulnerability also allows the user to give themselves shell access with the root gid.

Key dates

02Disclosure timeline

August 26, 2025 CVE published
September 5, 2025 Record updated