Summary
The PASvisu Runtime is affected by a vulnerability in a third-party component which can be exploited by a malicious web request.
Impact
A successful attack leads to a loss of availability of the affected Pilz products. For the products to be operational again, a manual restart is required.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| Firmware PMI v70Xe <=03.00.00 installed on PMIv7xxe | PASvisu <=1.15.0 | |
| Firmware PMI v8 <=2.2.1 installed on PMIv8xx | PASvisu <=1.15.0 | |
| PASvisu <=1.15.0 | PASvisu <=1.15.0 |
Vulnerabilities
Expand / Collapse allAn integer overflow vulnerability exists in the WebSocket component of Mongoose 7.5 thru 7.17. By sending a specially crafted WebSocket request, an attacker can cause the application to crash. If downstream vendors integrate this component improperly, the issue may lead to a buffer overflow.
Mitigation
Limit network access to PASvisu server by using a firewall, a host-based firewall or similar measures.
Remediation
-
PASvisu: Please visit the Pilz website (https://www.pilz.com/en-INT/search) and install the new version 'PASvisu 1.15.1' on to your device.
-
PMIv7xxe: Please visit the Pilz website (https://www.pilz.com/en-INT/search) and install the new firmware image 'Firmware PMI v70Xe (visu 1.15.1) 03.01.00' on to your device.
-
PMIv8xx: Please visit the Pilz website (https://www.pilz.com/en-INT/search) and download 'Firmware PMI v8 Assistant (visu 1.15.1) 2.2.2' in order to install the new verison of the firmware on to your device. ;
Acknowledgments
Pilz GmbH & Co. KG thanks the following parties for their efforts:
- CERT@VDE for coordination (see https://certvde.com )
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 10/20/2025 12:00 | Initial Version |