Pilz: Authentication Bypass in IndustrialPI Webstatus

VDE-2025-039

Last update

07/01/2025 12:00

Published at

07/01/2025 12:00

Vendor(s)

Pilz GmbH & Co. KG

External ID

PPSA-2025-003

CSAF Document

Download

Summary

The Pilz industrial PC IndustrialPI webstatus application is vulnerable to an authentication bypass.

Impact

An attacker can bypass the login to the web application making it possible to access and maliciously change all available settings of the IndustrialPI.

Affected Product(s)

Model no.	Product name	Affected versions
	Firmware Bullseye <=2024-08 installed on IndustrialPI 4	IndustrialPI webstatus <2.4.6

Vulnerabilities

Expand / Collapse all

Published

02/09/2026 08:38

Severity

9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weakness

Incorrect Type Conversion or Cast (CWE-704)

Summary

An unauthenticated remote attacker can bypass the login to the web application of the affected devices making it possible to access and change all available settings of the IndustrialPI.

References

cve.org | nvd.nist.gov

Remediation

Update the webstatus package to version 2.4.6 via the 'apt' package manager. Use 'sudo apt update && sudo apt upgrade -y' to pull and install all available updates for the IndustrialPI. To check the version of the webstatus package, use 'dpkg -l | grep revpi-webstatus'.; Limit network access to the IndustrialPI by using a firewall or similar measures.;

Acknowledgments

Pilz GmbH & Co. KG thanks the following parties for their efforts:

CERT@VDE for coordination (see https://certvde.com )

Revision History

Version	Date	Summary
1.0.0	07/01/2025 12:00	Initial Version

Pilz: Authentication Bypass in IndustrialPI Webstatus

Summary

Impact

Affected Product(s)

Vulnerabilities

CVE-2025-41648 9.8

Remediation

Acknowledgments

Revision History