Critical Sauter AG Flaw (CVE-2025-41723, CVSS 9.8) Allows Unauthenticated File Upload via SOAP Interface

Swiss building automation manufacturer Sauter AG has disclosed six vulnerabilities in the embedded firmware of its modulo 6 devices, warning that attackers could exploit these flaws to gain remote control, escalate privileges, and compromise system integrity. One of the vulnerabilities, tracked as CVE-2025-41723, carries a CVSS score of 9.8, making it critical.

The company confirmed that the vulnerabilities affect both the embedded web server and the SOAP-based interface used by SAUTER CASE Suite tools, which are integral to managing and configuring the company’s energy and HVAC automation devices.

“The vulnerabilities in the modulo 6 devices allow privilege escalation, remote exploitation, and compromise of device integrity, availability and confidentiality,” the advisory warns.

The most severe flaw, CVE-2025-41723, resides in the importFile SOAP method, which is vulnerable to a directory traversal attack.

According to Sauter AG:

“An unauthenticated remote attacker [can] bypass the path restriction and upload files to arbitrary locations.”

Successful exploitation could allow attackers to overwrite configuration or system files, potentially leading to remote code execution or permanent device compromise.

A second high-severity flaw, CVE-2025-41719 (CVSS 8.8), enables a low-privileged remote attacker to corrupt the web server’s user storage, effectively resetting authentication controls.

“A low privileged remote attacker can corrupt the webserver users storage on the device by setting a sequence of unsupported characters which leads to deletion of all previously configured users and the creation of the default Administrator with a known default password.”

This means an attacker could instantly gain full administrative control, reusing the default credentials that ship with the product.

Another vulnerability, CVE-2025-41724 (CVSS 7.5), allows an unauthenticated attacker to crash the wscserver by sending incomplete SOAP requests.

This denial-of-service (DoS) flaw could disrupt building automation systems managing heating, ventilation, and access control, requiring manual restarts to restore service continuity.

In CVE-2025-41722 (CVSS 7.5), the advisory reveals that the SOAP interface uses a hard-coded certificate to verify message authenticity, introducing a cryptographic weakness.

“An unauthenticated remote attacker can extract private keys from the software of the affected devices.”

This vulnerability could allow adversaries to intercept and manipulate secure communications, compromising both confidentiality and integrity.

Two additional flaws—CVE-2025-41720 (CVSS 4.3) and CVE-2025-41721 (CVSS 2.7)—pose moderate to low risks but remain exploitable under specific conditions:

• CVE-2025-41720: A low privileged remote attacker can upload arbitrary data masked as a png file… because only the file extension is verified.
• CVE-2025-41721: A high privileged remote attacker can influence the parameters passed to the openssl command due to improper neutralization of special elements.

Although these vulnerabilities require some degree of privilege, they could still be leveraged to tamper with SSL certificate operations or store malicious payloads disguised as image files.

The vulnerabilities affect multiple generations of SAUTER’s modulo 5 and modulo 6 controllers.