Ddos 
KUNBUS has issued a critical security advisory for its RevPi Webstatus application following the discovery of an authentication bypass vulnerability identified as CVE-2025-41646. With a CVSS base score of 9.8, this flaw allows unauthenticated attackers to bypass login checks entirely—potentially exposing industrial automation systems to severe compromise.
“The password check is vulnerable to an implicit type conversion. That results in a wrong authentication if the JSON value TRUE is provided in the password parameter hashcode” the KUNBUS Advisory explains.
At the root cause of CVE-2025-41646 lies a logic flaw caused by implicit type coercion in JSON parsing. Specifically, the password field in the Webstatus authentication logic incorrectly interprets the JSON boolean value true as a valid credential.
By sending a request like:
…an attacker can effectively bypass the password verification routine, gaining access to the RevPi Webstatus interface without knowing the actual password.
All versions of RevPi Webstatus up to and including v2.4.5 are vulnerable. This includes multiple releases of Revolution Pi OS Bullseye across 2023 and 2024:
- Revolution Pi OS Bullseye 06/2023 – 04/2024
- RevPi Webstatus <= 2.4.5
RevPi Webstatus provides a crucial web-based interface for industrial automation systems. A successful exploitation of this vulnerability could allow unauthorized configuration changes, surveillance, or denial-of-service attacks—particularly dangerous in industrial control system (ICS) environments.
KUNBUS has released a patched version, RevPi Webstatus 2.4.6, and recommends users immediately upgrade via standard package management tools:
Alternatively, download the fixed package manually here. A system restart is required after installation to apply the fix.
Donate