The mb24api endpoint reachable when connected via VPN is missing authentication for sensitive functions. This can lead to information disclosure of user- and device names and to DoS.
The mb24api endpoint reachable when connected via VPN is missing authentication for sensitive functions. This can lead to information disclosure of user- and device names and to DoS.
Two vulnerabilities in myREX24/myREX24.virtual can lead to user enumeration an password bypass.
Two vulnerabilities in mbCONNECT24/mymbCONNECT24 can lead to user enumeration an password bypass.
Vulnerabilities have been discovered in the WAGO Device Manager that allow any origin to access the server and set header values, as well as an endpoint that permits read access to the file system. The WAGO Device Manager is a software for configuring and parameterizing single WAGO products, which is included in the firmware. These vulnerabilities could be exploited by attackers to send requests and read server responses through crafted web applications or to access the file system.
The base ctrlX OS apps Device Admin and Solutions contain multiple vulnerabilities. In a worst case scenario, a remote authenticated (low-privileged) attacker might be able to execute arbitrary OS commands running with higher privileges.
Weidmueller security routers IE-SR-2TX are affected by multiple vulnerabilities (CVE-2025-41661, CVE-2025-41662, CVE-2025-41663).
Weidmueller has released new firmware versions of the affected products to fix the vulnerabilities.
For actuators with AC.2 controls and PROFOX actuators, a wrong configuration occurred for deliveries within the period from 01.01.2024 to 09.05.2025. Despite the ordered option "L90.00 = Bluetooth always deactivated", these actuators were delivered with an activated Bluetooth module which would allow an attacker to utilize the Bluetooth interface. It is possible to deactivate the Bluetooth interface of the affected actuators after the delivery using the standard procedures listed in the manuals.