CRITICAL🇵🇱 Wersja polska

CVE-2025-41646

CVSS 9.8v3.1pub. 2025-06-06upd. 2025-06-10

An unauthorized remote attacker can bypass the authentication of the affected software package by misusing an incorrect type conversion. This leads to full compromise of the device

🤖 AI Analysis
How it works

The vulnerability stems from incorrect type conversion (CWE-704) in the authentication logic of the software. A remote attacker without any privileges can exploit this flaw to bypass identity verification and gain unauthorized access to the device. The attack requires no user interaction or special network conditions — network access to the vulnerable system is sufficient.

Impact

The attacker gains full, unauthorized access to the device, resulting in a breach of confidentiality, integrity, and availability — a complete compromise of the system.

Mitigation & patch

Apply patches available from the manufacturer according to the references (https://www.kunbus.com/en/productsecurity/Kunbus-2025-0000003). Until the fix is implemented, it is recommended to restrict network access to RevPi Status devices through network segmentation or a firewall.

Who is affected

Kunbus RevPi Status — versions indicated in the manufacturer's references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Kunbus Revpi Status

    APP
    Kunbus
    < 2.4.6
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2019-6527CRITICAL9.8ten sam vendor

PR100088 Modbus gateway versions prior to Release R02 (or Software Version 1.1.13166) may allow an attacker to...

CVE-2019-6533CRITICAL9.1ten sam vendor

Registers used to store Modbus values can be read and written from the web interface without authentication in...

CVE-2019-6531HIGH8.1ten sam vendor

An attacker could retrieve passwords from a HTTP GET request from the Kunbus PR100088 Modbus gateway versions ...

CVE-2019-6549HIGH7.2ten sam vendor

An attacker could retrieve plain-text credentials stored in a XML file on PR100088 Modbus gateway versions pri...

CVE-2019-6529MEDIUM4.9ten sam vendor

An attacker could specially craft an FTP request that could crash the PR100088 Modbus gateway versions prior t...