Wiesemann & Theis: Motherbox 3 allows unauthenticated read-only DB access

VDE-2025-067

Last update

25.08.2025 12:00

Published at

10.08.2025 12:00

Vendor(s)

Wiesemann & Theis GmbH

External ID

VDE-2025-067

CSAF Document

Download

Summary

Motherbox 3 with firmware 1.44 to 1.48 allows an unauthenticated remote attacker read-only access to the internal DB with measurement values from other W&T sensor devices.

Impact

When logging into the internal database of the Motherbox 3 the user can get access without password protection. This enables the unprotected read-only access to the stored measurement data.

Affected Product(s)

Model no.	Product name	Affected versions
50504	Motherbox 3	Firmware 1.44<1.48

Vulnerabilities

Expand / Collapse all

Published

22.09.2025 14:58

Severity

7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weakness

Missing Authentication for Critical Function (CWE-306)

Summary

An unauthenticated remote attacker can get access without password protection to the affected device. This enables the unprotected read-only access to the stored measurement data.

References

cve.org | nvd.nist.gov

Remediation

Update the Motherbox 3 firmware to version 1.49.

Revision History

Version	Date	Summary
1.0.0	10.08.2025 12:00	Initial revision
1.1.0	25.08.2025 12:00	Changed CVE Score from C:L to C:H and changed in the CVE Description the word "grants" to "get"

Wiesemann & Theis: Motherbox 3 allows unauthenticated read-only DB access

Summary

Impact

Affected Product(s)

Vulnerabilities

CVE-2025-41689 7.5

Remediation

Revision History