CRITICAL🇵🇱 Wersja polska

CVE-2025-41648

CVSS 9.8v3.1pub. 2025-07-01upd. 2026-04-15

An unauthenticated remote attacker can bypass the login to the web application of the affected devices making it possible to access and change all available settings of the IndustrialPI.

🤖 AI Analysis
How it works

An error classified as CWE-704 (improper type conversion) in the web application authentication mechanism allows an attacker to bypass the login process. The attack requires no privileges, user interaction, or special network conditions — network access to the device's web interface is sufficient. After successfully bypassing login, the attacker gains unrestricted access to the administration panel.

Impact

An attacker can read and modify all available IndustrialPI device settings, which in an industrial environment can lead to process disruption, loss of configuration confidentiality, and violation of system integrity and availability.

Mitigation & patch

Apply patches available from the manufacturer according to the references (VDE-2025-039 guide). Until the fix is implemented, it is recommended to restrict network access to the IndustrialPI web interface exclusively to trusted hosts and to segment the industrial network.

Who is affected

IndustrialPI devices — specific versions indicated in the manufacturer's references (VDE-2025-039 guide available at certvde.com)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References