Share: Email | Twitter

ID

VDE-2025-045

Published

2025-07-01 10:00 (CEST)

Last update

2025-06-27 10:42 (CEST)

Vendor(s)

Pilz GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
IndustrialPI 4 with Firmware Bullseye <= 2024-08

Summary

Authentication is not configured by default for the Node-RED server on the Pilz industrial PC IndustrialPI. An unauthenticated remote attacker has full access to the Node-RED server and can run arbitrary operating system commands on the underlying operating system with privileged rights.


CVE ID

CVE-2025-41656

Last Update:

June 27, 2025, 10:40 a.m.

Weakness

Missing Authentication for Critical Function  (CWE-306) 

Summary

An unauthenticated remote attacker can run arbitrary commands on the affected devices with high privileges because the authentication for the Node_RED server is not configured by default.

Details

certvde.com 

Impact

The attacker can not only view but create and alter flows in Node-RED. Flows can contain code blocks where commands are executed on the IndustrialPI itself. An attacker can use these code blocks to run any command as a privileged user on the IndustrialPI.

Solution

Mitigation

Limit network access to the IndustrialPI by using a firewall or similar measures.

Remediation

Consult our PDF with remediations which you can find under https://www.pilz.com/search#currentPage=1&SEARCH=Security%20Advis.%20IndustrialPI%20Remediat.. In order to activate the authentication as described in the PDF, you have to have the Node-RED service enabled via the web application.

Reported by

CERT@VDE coordinated with Pilz