Back to overview

Pilz: Authentication Bypass and Cross-Site-Scripting in PiCtory

VDE-2025-046
Last update
06/30/2025 12:00
Published at
06/30/2025 12:00
Vendor(s)
Pilz GmbH & Co. KG
External ID
PPSA-2025-001
CSAF Document
Download

Summary

PiCtory, a web application to configure the Pilz industrial PC IndustrialPI, has three vulnerabilities with varying degrees of severity. The first two are of critical severity and can lead to a bypass of authentication and a cross-site-scripting attack. The third vulnerability with medium severity puts PiCtory at a risk of a reflected cross-site-scripting attack.

Impact

An unauthenticated attacker can change the configuration of the PiCtory project. This can lead to unwanted behavior or a Denial of Service.

Affected Product(s)

Model no. Product name Affected versions
Pilz Firmware Bullseye <=2024-08 installed on Pilz Hardware IndustrialPI 4 Pilz Software PiCtory <2.12

Vulnerabilities

Expand / Collapse all

Published
09/22/2025 14:57
Severity
9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
Authentication Bypass by Primary Weakness (CWE-305)
References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
9 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Weakness
Improper Neutralization of Server-Side Includes (SSI) Within a Web Page (CWE-97)
References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness
Improper Neutralization of Server-Side Includes (SSI) Within a Web Page (CWE-97)
References
cve.org | nvd.nist.gov

Remediation

Update the PiCtory package to version 2.12 via the 'apt' package manager. Use 'sudo apt update && sudo apt upgrade -y' to pull and install all available updates for the IndustrialPI. To check the version of the pictory package, use 'dpkg -l | grep pictory'.; Limit network access to the IndustrialPI by using a firewall or similar measures.;

Revision History

Version Date Summary
1 06/30/2025 12:00 Initial Version