Pilz: Missing Authentication in Node-RED integration

VDE-2025-045

Last update

01.07.2025 12:00

Published at

01.07.2025 12:00

Vendor(s)

Pilz GmbH & Co. KG

External ID

PPSA-2025-002

CSAF Document

Download

Summary

Authentication is not configured by default for the Node-RED server on the Pilz industrial PC IndustrialPI. An unauthenticated remote attacker has full access to the Node-RED server and can run arbitrary operating system commands on the underlying operating system with privileged rights.

Impact

The attacker can not only view but create and alter flows in Node-RED. Flows can contain code blocks where commands are executed on the IndustrialPI itself. An attacker can use these code blocks to run any command as a privileged user on the IndustrialPI.

Affected Product(s)

Model no.	Product name	Affected versions
A1000002, A1000003	IndustrialPI 4	Firmware Bullseye <=2024-08

Vulnerabilities

Expand / Collapse all

Published

22.09.2025 14:58

Severity

10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Weakness

Missing Authentication for Critical Function (CWE-306)

References

cve.org | nvd.nist.gov

Mitigation

Limit network access to the IndustrialPI by using a firewall or similar measures.

Remediation

Consult our PDF with remediations which you can find under [www.pilz.com/search. In order to activate the authentication as described in the PDF, you have to have the Node-RED service enabled via the web application.

Revision History

Version	Date	Summary
1.0.0	01.07.2025 12:00	Initial Version