VDE-2025-045 | CERT@VDE

2025-07-01 10:00 (CEST) VDE-2025-045

Pilz: Missing Authentication in Node-RED integration

Share: Email | Twitter

ID

VDE-2025-045

Published

2025-07-01 10:00 (CEST)

Last update

2025-06-27 10:42 (CEST)

Vendor(s)

Pilz GmbH & Co. KG

Product(s)

Article No°	Product Name	Affected Version(s)
	IndustrialPI 4 with Firmware Bullseye	<= 2024-08

Summary

Authentication is not configured by default for the Node-RED server on the Pilz industrial PC IndustrialPI. An unauthenticated remote attacker has full access to the Node-RED server and can run arbitrary operating system commands on the underlying operating system with privileged rights.

CVE ID

CVE-2025-41656

Last Update:

June 27, 2025, 10:40 a.m.

Severity

10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Weakness

Missing Authentication for Critical Function (CWE-306)

Summary

An unauthenticated remote attacker can run arbitrary commands on the affected devices with high privileges because the authentication for the Node_RED server is not configured by default.

Details

certvde.com

Impact

The attacker can not only view but create and alter flows in Node-RED. Flows can contain code blocks where commands are executed on the IndustrialPI itself. An attacker can use these code blocks to run any command as a privileged user on the IndustrialPI.

Solution

Mitigation

Limit network access to the IndustrialPI by using a firewall or similar measures.

Remediation

Consult our PDF with remediations which you can find under https://www.pilz.com/search#currentPage=1&SEARCH=Security%20Advis.%20IndustrialPI%20Remediat.. In order to activate the authentication as described in the PDF, you have to have the Node-RED service enabled via the web application.

Reported by

CERT@VDE coordinated with Pilz