Critical Frauscher Flaws (CVE-2025-3626 CVSS 9.1, CVE-2025-3705 CVSS 6.8): OS Command Injection Threatens Railway Systems
Do Son 
A newly published security advisory coordinated by CERT@VDE and Frauscher Sensortechnik GmbH reveals two severe OS command injection vulnerabilities affecting Frauscher’s FDS101, FDS102, and FDS-SNMP101 systems—devices critical to railway diagnostics and control infrastructure.
“Frauscher Sensortechnik FDS101, FDS-SNMP101 and FDS102 for FAdC/FAdCi R2 and all previous versions are vulnerable to OS Command Injection via malicious configuration file,” the advisory states.
CVE-2025-3626 (CVSS 9.1) – Remote Admin Compromise via WebUI
This critical flaw allows a remote attacker with administrator privileges to upload a malicious configuration file via the device’s web interface and gain full control of the affected system.
“Improper neutralization of special elements used in an OS Command (‘OS Command Injection’) while uploading a config file via webUI,” is the root cause of the vulnerability.
CVE-2025-3705 (CVSS 6.8) – Physical Attack via USB Drive
A second vulnerability enables local attackers with physical access to execute malicious OS commands by loading a crafted config file from a USB drive—even without any user privileges.
“A physical attacker with no privileges can gain full control of the affected device,” due to insecure handling of USB-based configuration files.
Both vulnerabilities can lead to complete device compromise, allowing an attacker to:
- Execute arbitrary commands
- Interfere with diagnostics
- Disrupt signaling data integrity
- Pivot into connected networks if security segmentation is weak
“This enables a remote or a local attacker to gain full control of the FDS101/FDS-SNMP101/FDS102 device,” warns the advisory.
| Product | Affected Versions |
|---|---|
| FDS101 | ≤ v1.4.25 |
| FDS-SNMP101 | ≤ v2.3.9 |
| FDS102 | v2.8.0 to < v2.13.3 |
Frauscher has issued version v2.13.3 of FDS102 to patch these issues. Operators using affected versions are urged to update immediately.
Meanwhile, Frauscher also outlines safety procedures under its SecRAC (Security-related Application Conditions) program:
“The railway operator must ensure that only authorised personnel or people in the company of authorised personnel have access to the Frauscher Diagnostic System… This applies for both vulnerabilities.”
Additionally, they recommend placing affected systems on network category 2 per EN 50159:2010. If placed on category 3 networks (i.e., external or shared communication networks), additional protective controls must be implemented to isolate the device.
Related Posts:
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
