CVE-2025-41712
Incorrect Permission Assignment in Web Server Enables Sensitive Data Access
Publication date: 2026-03-10
Last updated on: 2026-03-10
Assigner: CERT VDE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| janitza | umg_96rm_e | to 3.13 (inc) |
| weidmueller | energy_meter | to 3.13 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
Can you explain this vulnerability to me?
This vulnerability involves incorrect permission assignment on the web server of certain devices, which allows an unauthenticated remote attacker to trick a user into uploading a manipulated HTML file. By doing so, the attacker can gain access to sensitive information stored on the device.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the firmware of the affected devices to version 3.14, where this vulnerability and others are fixed.
- Update Janitza UMG 96RM-E 24V and 230V models to firmware version 3.14.
- Update Weidmueller Energy Meter models 750-24 and 750-230 to firmware version 3.14.
How can this vulnerability impact me? :
The impact of this vulnerability is that sensitive information on the affected device can be disclosed to an attacker without authentication. This can lead to unauthorized access to confidential data, potentially compromising the security and privacy of the device and its users.