VDE-2025-091
Last update
10/14/2025 12:00
Published at
10/14/2025 12:00
Vendor(s)
Murrelektronik GmbH
External ID
VDE-2025-091
CSAF Document
Summary
The embedded web interface of the MURRELEKTRONIK IMPACT67 Pro PN DIO8 IOL8
transmits login credentials over unencrypted HTTP using a GET request. The device does
not offer HTTPS/TLS support, exposing user credentials to passive interception by any attacker on the same network.
Impact
User credentials, sent to the devices Webserver, are exposed to an attacker in the same network or network segment. The datas confidentiallity is compromised.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| Murrelektronik Firmware Impact67 Pro 54620 <=1.08.01 | Murrelektronik Firmware Impact67 Pro 54620 <=1.08.01 | |
| Murrelektronik Firmware Impact67 Pro 54630 <=1.08.01 | Murrelektronik Firmware Impact67 Pro 54630 <=1.08.01 | |
| Murrelektronik Firmware Impact67 Pro 54631 <=1.08.05 | Murrelektronik Firmware Impact67 Pro 54631 <=1.08.05 | |
| Murrelektronik Firmware Impact67 Pro 54632 <=1.08.01 | Murrelektronik Firmware Impact67 Pro 54632 <=1.08.01 |
Vulnerabilities
Expand / Collapse all
Published
10/14/2025 15:00
Severity
Weakness
Cleartext Transmission of Sensitive Information (CWE-319)
Summary
A cleartext transmission of sensitive information vulnerability in the affected products allows an unauthorized remote attacker to gain login credentials and access the Web-UI.
References
Acknowledgments
Murrelektronik GmbH thanks the following parties for their efforts:
- CERT@VDE for coordination (see https://certvde.com )
- Abhishek Pandey from Payatu Security Consulting Pvt. Ltd. for Reporting and Analysing
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 10/14/2025 12:00 | initial release |