VDE-2025-067 | CERT@VDE

2025-08-19 10:00 (CEST) VDE-2025-067

Wiesemann & Theis: Motherbox 3 allows unauthenticated read-only DB access

Share: Email | Twitter

ID

VDE-2025-067

Published

2025-08-19 10:00 (CEST)

Last update

2025-08-18 11:00 (CEST)

Vendor(s)

Wiesemann & Theis GmbH

Product(s)

Article No°	Product Name	Affected Version(s)
	Motherbox 3	1.44 <= 1.48

Summary

Motherbox 3 with firmware 1.44 to 1.48 allows an unauthenticated remote attacker read-only access to the internal DB with measurement values from other W&T sensor devices.

CVE ID

CVE-2025-41689

Last Update:

Aug. 19, 2025, 10:10 a.m.

Severity

5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Weakness

Missing Authentication for Critical Function (CWE-306)

Summary

An unauthenticated remote attacker can grant access without password protection to the affected device. This enables the unprotected read-only access to the stored measurement data.

Details

certvde.com

Impact

When logging into the internal database of the Motherbox 3 the user can grant access without password protection. This enables the unprotected read-only access to the stored measurement data.

Solution

Remediation

Update the Motherbox 3 firmware to version 1.49.

Reported by

CERT@VDE coordinated with Wiesemann & Theis