CVE-2025-41646
BaseFortify
Publication date: 2025-06-06
Last updated on: 2025-06-10
Assigner: CERT VDE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kunbus | revpi_status | to 2.4.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-704 | The product does not correctly convert an object, resource, or structure from one type to a different type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-41646 is a critical authentication bypass vulnerability in the Revolution Pi Webstatus application (up to version 2.4.5) and related Revolution Pi OS Bullseye releases. The flaw is due to an incorrect implementation of the authentication algorithm where an implicit type conversion occurs during password verification. Specifically, an attacker can supply the JSON boolean value TRUE in the password parameter's hashcode field, causing the system to incorrectly validate the password and bypass authentication. [1, 2]
How can this vulnerability impact me? :
This vulnerability allows an unauthorized remote attacker to bypass authentication without any privileges or user interaction, leading to full compromise of the affected device. The attacker can gain unauthorized access with high impact on confidentiality, integrity, and availability of the system, potentially controlling or disrupting the device completely. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect the vulnerability by checking the version of the RevPi Webstatus application installed on your system. Versions up to 2.4.5 are vulnerable. To check the installed version, you can use commands like `dpkg -l | grep revpi-webstatus` on Debian-based systems. Additionally, monitoring network traffic for suspicious authentication attempts involving the JSON boolean value TRUE in the password parameter's hashcode field may help detect exploitation attempts, though no specific detection commands are provided. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the RevPi Webstatus application to version 2.4.6 or later, which contains the fix for this vulnerability. You can update via the package manager using the commands `apt-get update && apt-get upgrade` or manually download and install the updated Debian package `revpi-webstatus_2.4.6-1+revpi11+1_all.deb` from the official repository. After updating, a restart of the vulnerable component is required to apply the fix. [1, 2]