VDE-2025-039 | CERT@VDE

2025-07-01 10:00 (CEST) VDE-2025-039

Pilz: Authentication Bypass in IndustrialPI Webstatus

Share: Email | Twitter

ID

VDE-2025-039

Published

2025-07-01 10:00 (CEST)

Last update

2025-06-27 10:35 (CEST)

Vendor(s)

Pilz GmbH & Co. KG

Product(s)

Article No°	Product Name	Affected Version(s)
	IndustrialPI 4 with IndustrialPI webstatus	< 2.4.6

Summary

The Pilz industrial PC IndustrialPI webstatus application is vulnerable to an authentication bypass.

CVE ID

CVE-2025-41648

Last Update:

June 27, 2025, 10:31 a.m.

Severity

9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Weakness

Incorrect Type Conversion or Cast (CWE-704)

Summary

An unauthenticated remote attacker can bypass the login to the web application of the affected devices making it possible to access and change all available settings of the IndustrialPI.

Details

certvde.com

Impact

An attacker can bypass the login to the web application making it possible to access and maliciously change all available settings of the IndustrialPI.

Solution

Remediation

Update the webstatus package to version 2.4.6 via the 'apt' package manager. Use 'sudo apt update && sudo apt upgrade -y' to pull and install all available updates for the IndustrialPI. To check the version of the webstatus package, use 'dpkg -l | grep revpi-webstatus'.; Limit network access to the IndustrialPI by using a firewall or similar measures.;

Reported by

CERT@VDE coordinated with Pilz