| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| FDS101 | <= v1.4.25 | |
| FDS102 | v2.8.0 < v2.13.3 | |
| FDS102 | < v2.13.3 | |
| FDS-SNMP101 | <= v.2.3.9 |
Frauscher Sensortechnik FDS101, FDS-SNMP101 and FDS102 for FAdC/FAdCi R2 and all previous versions are vulnerable to OS Command Injection via malicious configuration file.
A remote attacker with administrator account can gain full control of the device due to improper neutralization of special elements used in an OS Command ('OS Command Injection') while uploading a config file via webUI.
A physical attacker with no privileges can gain full control of the affected device due to improper neutralization of special elements used in an OS Command ('OS Command Injection') when loading a config file from a USB drive.
This enables a remote or a local attacker to gain full control of the FDS101/FDS-SNMP101/FDS102 device.
Mitigation
Security-related application conditions SecRAC:
The railway operator must ensure that only authorised personnel or people in the company of authorised personnel have access to the Frauscher Diagnostic System FDS101/FDS-SNMP101/FDS102. This applies for both vulnerabilities.
The recommendation is to connect the Frauscher Diagnostic System FDS102 to a network of category 2. If the Frauscher Diagnostic System FDS102 is connected to a network of category 3 (according to EN 50159:2010), then additional protective measures must be added. This applies for CVE-2025-3626.
Remediation
Update to FDS102 v2.13.3
CERT@VDE coordinated with Frauscher Sensortechnik GmbH