Summary
Vulnerabilities have been discovered in the embedded firmware of SAUTER modulo 6 devices. These vulnerabilities affect the embedded web server as well as the interface to the SAUTER CASE Suite tools.
Impact
The vulnerabilities in the modulo 6 devices allow privilege escalation, remote exploitation, and compromise of device integrity, availability and confidentiality.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| EY-modulo 5 ecos 5 ecos504/505 | Firmware EY-modulo 5 embedded software <v6.0 | |
| EY-modulo 5 modu 5 modu524 | Firmware EY-modulo 5 embedded software <v6.0 | |
| EY-modulo 5 modu 5 modu525 | Firmware EY-modulo 5 embedded software <v6.0 | |
| modulo 6 devices modu612-LC | Firmware modulo 6 embedded software <v3.2.0 | |
| modulo 6 devices modu660-AS | Firmware modulo 6 embedded software <v3.2.0 | |
| modulo 6 devices modu680-AS | Firmware modulo 6 embedded software <v3.2.0 |
Vulnerabilities
Expand / Collapse allThe importFile SOAP method is vulnerable to a directory traversal attack. An unauthenticated remote attacker bypass the path restriction and upload files to arbitrary locations.
A low privileged remote attacker can corrupt the webserver users storage on the device by setting a sequence of unsupported characters which leads to deletion of all previously configured users and the creation of the default Administrator with a known default password.
An unauthenticated remote attacker can crash the wscserver by sending incomplete SOAP requests. The wscserver process will not be restarted by a watchdog and a device reboot is necessary to make it work again.
The wsc server uses a hard-coded certificate to check the authenticity of SOAP messages. An unauthenticated remote attacker can extract private keys from the Software of the affected devices.
A low privileged remote attacker can upload arbitrary data masked as a png file to the affected device using the webserver API because only the file extension is verified.
A high privileged remote attacker can influence the parameters passed to the openssl command due to improper neutralization of special elements when adding a password protected self-signed certificate.
Remediation
Update to firmware version 3.2.0. or newer. This will require CASE Suite Version 5.2 SR5 or newer. Contact your local SAUTER representative for support.
Acknowledgments
Sauter AG thanks the following parties for their efforts:
- Damian Pfammatter, Daniel Hulliger from Cyber-Defence Campus armasuisse S+T for SAUTER thanks the Cyber-Defence Campus of ARMASUISSE S+T for organizing the hackathon and for reporting the vulnerabilities. (see https://www.ar.admin.ch/cyberdefencecampus )
- CERT@VDE for coordination
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 10/21/2025 12:00 | Initial revision |