Multiple Linux component vulnerabilities fixed in latest PLCnext Firmware release 2025.0.2
Multiple vulnerabilities in the firmware of CHARX SEC-3xxx charging controllers have been discovered.
Update Version 1.1.0: Updated the reporting credits for CVE-2025-25271.
Frauscher Sensortechnik FDS101, FDS-SNMP101 and FDS102 for FAdC/FAdCi R2 and all previous versions are vulnerable to OS Command Injection via malicious configuration file.
CVE-2025-3626 affects FDS102 versions v2.8.0 < v2.13.3.
CVE-2025-3705 affects a broader range of products and versions. Specifically, it affects:
Update 1.1.0, 29.07.2025: The summary has been updated to include a mapping between CVEs and affected products, and the remediation section has been revised to include FDS101.
During installation, identical certificates are installed across all systems instead of unique ones, which are intended for JWT Token encryption and signing.
Several vulnerabilities in the Endress+Hauser MEAC300-FNADE4 were discovered, that can be accessed via Ethernet.
The Pilz industrial PC IndustrialPI webstatus application is vulnerable to an authentication bypass.
Authentication is not configured by default for the Node-RED server on the Pilz industrial PC IndustrialPI. An unauthenticated remote attacker has full access to the Node-RED server and can run arbitrary operating system commands on the underlying operating system with privileged rights.
A vulnerability has been disclosed in PLC ifm AC4xxS that allows an attacker to trigger the safety state with the help of a specially crafted html request. This leads to a loss of availability.