Pilz: Authentication Bypass in IndustrialPI Webstatus

VDE-2025-039

Last update

01.07.2025 12:00

Published at

01.07.2025 12:00

Vendor(s)

Pilz GmbH & Co. KG

External ID

PPSA-2025-003

CSAF Document

Download

Summary

The Pilz industrial PC IndustrialPI webstatus application is vulnerable to an authentication bypass.

Impact

An attacker can bypass the login to the web application making it possible to access and maliciously change all available settings of the IndustrialPI.

Affected Product(s)

Model no.	Product name	Affected versions
	Firmware Bullseye <=2024-08 installed on IndustrialPI 4	IndustrialPI webstatus <2.4.6

Vulnerabilities

Expand / Collapse all

Published

22.09.2025 14:57

Severity

9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weakness

Incorrect Type Conversion or Cast (CWE-704)

References

cve.org | nvd.nist.gov

Remediation

Update the webstatus package to version 2.4.6 via the 'apt' package manager. Use 'sudo apt update && sudo apt upgrade -y' to pull and install all available updates for the IndustrialPI. To check the version of the webstatus package, use 'dpkg -l | grep revpi-webstatus'.; Limit network access to the IndustrialPI by using a firewall or similar measures.;

Revision History

Version	Date	Summary
1.0.0	01.07.2025 12:00	Initial Version