CRITICAL🇵🇱 Wersja polska

CVE-2025-41672

CVSS 10.0v3.1pub. 2025-07-07upd. 2026-04-15

A remote unauthenticated attacker may use default certificates to generate JWT Tokens and gain full access to the tool and all connected devices.

🤖 AI Analysis
How it works

The application contains default certificates (signing keys) whose knowledge allows anyone to independently generate valid JWT tokens. Since the authentication mechanism is based on verifying the token signature using these known keys, an attacker can forge a token with arbitrary privileges without possessing login credentials. The attack is possible remotely, without user interaction, and without any prerequisites on the attacker's side.

Impact

Attacker gains full, unrestricted access to the tool and all connected devices, resulting in complete loss of system confidentiality, integrity, and availability.

Mitigation & patch

Apply patches available from the manufacturer according to the references — detailed information about patched versions is contained in advisory VDE-2025-057 available at https://cert.vde.com/en/advisories/VDE-2025-057. It is critical to replace default certificates with unique, secure JWT signing keys.

Who is affected

Versions indicated in manufacturer references (WAGO / CERT VDE, advisory VDE-2025-057)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References