Endress+Hauser: Proline 10 Maintenance credentials may be exposed under certain conditions

A privilege escalation vulnerability has been identified in Endress+Hauser's Proline 10 devices. This flaw allows an authenticated user with Operator-level access to elevate their privileges and gain Maintenance-level access, potentially enabling unauthorized configuration changes.

Endress+Hauser has released a security update addressing this issue.

Successful exploitation of this vulnerability may allow an attacker to perform vertical privilege escalation, gaining unauthorized access to Maintenance-level functions. As a result, the attacker could:
• Modify all Maintenance parameters
• Change device settings
• Initiate a device reset, potentially causing operational downtime
• Restore the device to its factory default settings
• Reconfigure non-critical diagnostic parameters
• Disable Bluetooth communication
• Alter the 4–20 mA analog output range

If an immediate firmware update is not feasible, it is recommended to disable the device's Bluetooth communication when not actively in use. This significantly reduces the risk of unauthorized access by eliminating the key vector through which the vulnerability could be exploited.

Endress+Hauser has released updated firmware versions for the affected devices that resolve this vulnerability. Customers are encouraged to update their devices to the latest firmware version as soon as possible.
For assistance with the update process, please contact your local Endress+Hauser service center.

Endress+Hauser AG thanks the following parties for their efforts:

• CERT@VDE for coordination (see https://certvde.com )