A security vulnerability was discovered in the PLC Designer V4 in the version 4.0.0 where the programmer of a Controller can set a password for the connected device. Here it is possible in an interface of the PLC Designer V4 for the programmer to enter a password for the Device. There is a special constellation where the password entered appears in plain text. Only the display in the tool is affected and not the management of the password on the device. This vulnerability of PLC Designer V4 only occurs in combination with the devices c430 controller, c520 controller and c550 controller and not in combination with other devices, as this functionality is only used here. It is generally recommended that all users update to 4.0.1, but especially all users who operate PLC Designer V4 in combination with the controllers mentioned.
The mb24api endpoint reachable when connected via VPN is missing authentication for sensitive functions. This can lead to information disclosure of user- and device names and to DoS.
The mb24api endpoint reachable when connected via VPN is missing authentication for sensitive functions. This can lead to information disclosure of user- and device names and to DoS.
Two vulnerabilities in myREX24/myREX24.virtual can lead to user enumeration an password bypass.
Two vulnerabilities in mbCONNECT24/mymbCONNECT24 can lead to user enumeration an password bypass.
Vulnerabilities have been discovered in the WAGO Device Manager that allow any origin to access the server and set header values, as well as an endpoint that permits read access to the file system. The WAGO Device Manager is a software for configuring and parameterizing single WAGO products, which is included in the firmware. These vulnerabilities could be exploited by attackers to send requests and read server responses through crafted web applications or to access the file system.
The base ctrlX OS apps Device Admin and Solutions contain multiple vulnerabilities. In a worst case scenario, a remote authenticated (low-privileged) attacker might be able to execute arbitrary OS commands running with higher privileges.
Weidmueller security routers IE-SR-2TX are affected by multiple vulnerabilities (CVE-2025-41661, CVE-2025-41662, CVE-2025-41663).
Weidmueller has released new firmware versions of the affected products to fix the vulnerabilities.