CISA Warns Critical Flaws in KUNBUS Revolution Pi Exposing Industrial Systems to Remote Attacks
Ddos 
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a risk evaluation advisory detailing several high-severity vulnerabilities impacting KUNBUS Revolution Pi products—industrial automation devices used in smart manufacturing and IoT environments. The flaws, if exploited, could enable attackers to bypass authentication, execute arbitrary server-side code, and launch cross-site scripting (XSS) attacks against web-based interfaces.
The advisory highlights four vulnerabilities:
- CVE-2025-24522 (CVSS Score: 10.0) – Missing Authentication for Critical Function
KUNBUS Revolution Pi OS Bookworm 01/2025 lacks default authentication on the Node-RED server, a key automation tool. CISA warns that this misconfiguration “can give an unauthenticated remote attacker full access to the Node-RED server where they can run arbitrary commands on the underlying operating system.”
- CVE-2025-32011 (CVSS Score: 9.8) – Authentication Bypass via Path Traversal
KUNBUS PiCtory versions 2.5.0 to 2.11.1 are vulnerable to an authentication bypass flaw. A remote attacker can exploit this path traversal issue to gain unauthorized access. “A remote attacker can bypass authentication to get access,” the advisory notes.
- CVE-2025-35996 (CVSS Score: 9.0) – Improper Neutralization of Server-Side Includes (SSI)
In PiCtory versions 2.11.1 and earlier, malicious filenames submitted via API endpoints can be interpreted as executable HTML content, leading to XSS attacks. “Due to a missing escape or sanitization, the filename could be executed as an HTML script tag,” CISA explains.
- CVE-2025-36558 (CVSS Score: 6.1) – XSS via sso_token Authentication Parameter
An attacker can craft a malicious PiCtory URL containing an embedded script in the sso_token, which is then executed in the user’s browser. This vulnerability allows for targeted social engineering and session hijacking.
Security researcher Adam Bromiley of Pen Test Partners was credited for responsibly disclosing these issues.
KUNBUS has released PiCtory version 2.12 to address the vulnerabilities and plans to provide a Cockpit plugin by the end of April 2025, allowing users to configure authentication settings via a graphical UI.
In the meantime, users are strongly advised to:
- Enable authentication manually following KUNBUS’s guide.
- Ensure all control systems are isolated from the internet and placed behind firewalls.
- Use VPNs for remote access, ensuring both the VPN software and endpoint devices are updated and secure.
While no active exploitation has been observed as of the report’s release, the vulnerabilities—especially those with perfect or near-perfect CVSS scores—pose a significant risk to industrial environments if left unpatched.
Donate