CVE-2025-41648
BaseFortify
Publication date: 2025-07-01
Last updated on: 2025-07-03
Assigner: CERT VDE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-704 | The product does not correctly convert an object, resource, or structure from one type to a different type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-41648 is a vulnerability in the IndustrialPI webstatus application (version 2.4.6 and earlier) that allows an unauthenticated remote attacker to bypass the login authentication. This means the attacker can access the web application without credentials and view or modify all device settings. The root cause is an incorrect type conversion or cast (CWE-704) in the application. [1]
How can this vulnerability impact me? :
This vulnerability can have a severe impact as it allows an attacker to gain full control over the IndustrialPI device remotely without authentication. The attacker can change all available settings, potentially disrupting operations, causing data loss, or compromising the integrity and availability of the device and its functions. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can verify if your system is affected by checking the installed version of the IndustrialPI webstatus package using the command: 'dpkg -l | grep revpi-webstatus'. If the version is 2.4.6 or earlier, your system is vulnerable. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the webstatus package to version 2.4.6 or later using the commands: 'sudo apt update && sudo apt upgrade -y'. Additionally, restrict network access to the IndustrialPI device using firewalls or similar network controls. [1]