CVE-2025-41109
BaseFortify
Publication date: 2025-10-22
Last updated on: 2025-10-31
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ghostrobotics | vision_60_firmware | 0.27.2 |
| ghostrobotics | vision_60 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-NVD-CWE-noinfo | |
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Ghost Robotics Vision 60 v0.27.2 arises because the robot's physical interfaces, including three RJ45 connectors and a USB Type-C port, lack authentication mechanisms. The internal router automatically assigns IP addresses to any device physically connected, allowing an attacker to connect a WiFi access point they control without needing network credentials. Once connected, the attacker can access the robot's network and monitor all data, as the robot runs on ROS 2 which does not have authentication enabled by default.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can gain unauthorized access to the robot's internal network by physically connecting a device. This can lead to data interception and monitoring of all communications within the robot's network, potentially exposing sensitive information or enabling further attacks on the system.