Zurück zur Übersicht

Sauter: Multiple vulnerabilities in SAUTER modulo 6

VDE-2025-060
Last update
21.10.2025 12:00
Published at
21.10.2025 12:00
Vendor(s)
Sauter AG
External ID
VDE-2025-060
CSAF Document
Download

Summary

Vulnerabilities have been discovered in the embedded firmware of SAUTER modulo 6 devices. These vulnerabilities affect the embedded web server as well as the interface to the SAUTER CASE Suite tools.

Impact

The vulnerabilities in the modulo 6 devices allow privilege escalation, remote exploitation, and compromise of device integrity, availability and confidentiality.

Affected Product(s)

Model no. Product name Affected versions
EY-modulo 5 ecos 5 ecos504/505 Firmware EY-modulo 5 embedded software <v6.0
EY-modulo 5 modu 5 modu524 Firmware EY-modulo 5 embedded software <v6.0
EY-modulo 5 modu 5 modu525 Firmware EY-modulo 5 embedded software <v6.0
modulo 6 devices modu612-LC Firmware modulo 6 embedded software <v3.2.0
modulo 6 devices modu660-AS Firmware modulo 6 embedded software <v3.2.0
modulo 6 devices modu680-AS Firmware modulo 6 embedded software <v3.2.0

Vulnerabilities

Expand / Collapse all

Published
21.10.2025 08:54
Severity
9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
Path Traversal: '.../...//' (CWE-35)
Summary

The importFile SOAP method is vulnerable to a directory traversal attack. An unauthenticated remote attacker bypass the path restriction and upload files to arbitrary locations.

References
cve.org | nvd.nist.gov

Published
21.10.2025 08:54
Severity
8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness
Improper Validation of Syntactic Correctness of Input (CWE-1286)
Summary

A low privileged remote attacker can corrupt the webserver users storage on the device by setting a sequence of unsupported characters which leads to deletion of all previously configured users and the creation of the default Administrator with a known default password.

References
cve.org | nvd.nist.gov

Published
21.10.2025 08:54
Severity
7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness
Failure to Handle Incomplete Element (CWE-239)
Summary

An unauthenticated remote attacker can crash the wscserver by sending incomplete SOAP requests. The wscserver process will not be restarted by a watchdog and a device reboot is necessary to make it work again.

References
cve.org | nvd.nist.gov

Published
21.10.2025 08:54
Severity
7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness
Use of Hard-coded Credentials (CWE-798)
Summary

The wsc server uses a hard-coded certificate to check the authenticity of SOAP messages. An unauthenticated remote attacker can extract private keys from the Software of the affected devices.

References
cve.org | nvd.nist.gov

Published
21.10.2025 08:54
Severity
4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Weakness
Reliance on File Name or Extension of Externally-Supplied File (CWE-646)
Summary

A low privileged remote attacker can upload arbitrary data masked as a png file to the affected device using the webserver API because only the file extension is verified.

References
cve.org | nvd.nist.gov

Published
21.10.2025 08:54
Severity
2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Weakness
Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)
Summary

A high privileged remote attacker can influence the parameters passed to the openssl command due to improper neutralization of special elements when adding a password protected self-signed certificate.

References
cve.org | nvd.nist.gov

Remediation

Update to firmware version 3.2.0. or newer. This will require CASE Suite Version 5.2 SR5 or newer. Contact your local SAUTER representative for support.

Acknowledgments

Sauter AG thanks the following parties for their efforts:

  • Damian Pfammatter, Daniel Hulliger from Cyber-Defence Campus armasuisse S+T for SAUTER thanks the Cyber-Defence Campus of ARMASUISSE S+T for organizing the hackathon and for reporting the vulnerabilities. (see https://www.ar.admin.ch/cyberdefencecampus )
  • CERT@VDE for coordination

Revision History

Version Date Summary
1.0.0 21.10.2025 12:00 Initial revision