Back to overview

Multiple TRUMPF products prone to regreSSHion OpenSSH server vulnerabilities

VDE-2024-040
Last update
04/10/2025 15:00
Published at
06/25/2024 12:00
Vendor(s)
Trumpf SE + Co. KG
External ID
VDE-2024-040
CSAF Document
Download

Summary

TruControl laser control software prior to version 1.60.0 uses an OpenSSH server version affected by CVE-2024-6387. The affected OpenSSH Server version could potentially lead to a remote code execution.

Impact

To be able to exploit this vulnerability the attacker first needs to gain any kind of network access to the system.
The remote code execution vulnerability enables the attacker a potential access into the laser control system which could lead to following possible impacts/damages to the system:
Data loss in the laser control
Standstill of production
Damage by change of the laser control
Safety is not affected since it is controlled by an independent electromechanical safety mechanism.

Affected Product(s)

Model no. Product name Affected versions
TruDiode Firmware TruControl <1.60.0
TruDisk Firmware TruControl <1.60.0
TruMicro 2000 Firmware TruControl <1.60.0
TruMicro 5000 Firmware TruControl <1.60.0
TruMicro 6000 Firmware TruControl <1.60.0
TruMicro 7000 Firmware TruControl <1.60.0
TruMicro 8000 Firmware TruControl <1.60.0
TruMicro 9000 Firmware TruControl <1.60.0
TruPulse Firmware TruControl <1.60.0
redpowerDirect Firmware TruControl <1.60.0

Vulnerabilities

Expand / Collapse all

Published
09/22/2025 14:57
Severity
8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (CWE-362)
Summary

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

References
cve.org | nvd.nist.gov

Remediation

Update to the newest release 4.04.0 of the TruControl software version
Please contact your service partner (service.tls@trumpf.com) for instructions on how to get automatically informed for the newest major release 4.04.0 of the TruControl software version

Revision History

Version Date Summary
1 06/25/2024 12:00 Initial revision.
2 11/06/2024 12:27 Fix: correct certvde domain, added self-reference
3 11/14/2024 13:00 removed issuing authority as it is the same as the publisher
4 04/10/2025 15:00 Fixed CSAF self-reference URL