VDE-2025-078 | CERT@VDE

2025-08-25 10:00 (CEST) VDE-2025-078

TRUMPF: Remote support uses an outdated encryption algorithm

Share: Email | Twitter

ID

VDE-2025-078

Published

2025-08-25 10:00 (CEST)

Last update

2025-08-25 20:33 (CEST)

Vendor(s)

TRUMPF SE

Product(s)

Article No°	Product Name	Affected Version(s)
	Telepresence Box	< 7.0.0
	Telepresence Box 7.0.0<10.0.0 configuration	older than 08.08.2025

Summary

The TRUMPF remote support infrastructure selects an outdated encryption algorithm when setting up communication channels for machines. This cannot be prevented for old machines. For most machines it is possible to change the encryption settings.

CVE ID

CVE-2016-2183

Last Update:

1. August 2025 11:50

Severity

7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Weakness

Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)

Summary

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.

Details

nvd.nist.gov

Impact

In high-traffic sessions, an attacker with access to the network stream may be able to sniff and decrypt the data exchanged during a remote support session. High-traffic sessions typically only contain VNC data, as the machine's screen content is transmitted. A potential attack may also allow the decryption of large software update sessions, which contain software update packages sent from the TRUMPF infrastructure to the machine. However, all vulnerable devices have been excluded from the software update until a secure state is reinstated.

Solution

Remediation

Since August 8th, 2025, an automated configuration update is available for TRUMPF machines with a Telepresence Box 7.0.0 and newer. It will automatically be applied when activating a remote session from the machine. A TRUMPF technician doesn't need to join the session. Please refer to your operator's manual on how to activate a remote session on your TRUMPF machine.

The update takes up to 5 minutes. After a successful update, the remote session will automatically be closed. If the session is not automatically closed, then the update has already been applied or is not needed at the machine.

Machines using a Telepresence Box 6.x and older can't use secure encryption. All customers still connecting to TRUMPF with such a device will be identified by TRUMPF and contacted with further information. It is possible to order a new Telepresence Box via your sales representative. In such a case, please contact the TRUMPF Service for installation.

Please note that from July 1st, 2026, onward machines with a Telepresence Box 6.x and older will not be able to connect to the TRUMPF infrastructure any longer.

Reported by

CERT@VDE coordinated with Trumpf