CVE-2025-41646: Critical Authentication Bypass in RevPi Webstatus Threatens Industrial Systems

KUNBUS has issued a critical security advisory for its RevPi Webstatus application following the discovery of an authentication bypass vulnerability identified as CVE-2025-41646. With a CVSS base score of 9.8, this flaw allows unauthenticated attackers to bypass login checks entirely—potentially exposing industrial automation systems to severe compromise.

“The password check is vulnerable to an implicit type conversion. That results in a wrong authentication if the JSON value TRUE is provided in the password parameter hashcode” the KUNBUS Advisory explains.

At the root cause of CVE-2025-41646 lies a logic flaw caused by implicit type coercion in JSON parsing. Specifically, the password field in the Webstatus authentication logic incorrectly interprets the JSON boolean value true as a valid credential.

By sending a request like:

{
  "hashcode": true
}

…an attacker can effectively bypass the password verification routine, gaining access to the RevPi Webstatus interface without knowing the actual password.

All versions of RevPi Webstatus up to and including v2.4.5 are vulnerable. This includes multiple releases of Revolution Pi OS Bullseye across 2023 and 2024:

• Revolution Pi OS Bullseye 06/2023 – 04/2024
• RevPi Webstatus <= 2.4.5

RevPi Webstatus provides a crucial web-based interface for industrial automation systems. A successful exploitation of this vulnerability could allow unauthorized configuration changes, surveillance, or denial-of-service attacks—particularly dangerous in industrial control system (ICS) environments.

KUNBUS has released a patched version, RevPi Webstatus 2.4.6, and recommends users immediately upgrade via standard package management tools:

sudo apt-get update && sudo apt-get upgrade

Alternatively, download the fixed package manually here. A system restart is required after installation to apply the fix.

Related Posts:

• CISA Warns Critical Flaws in KUNBUS Revolution Pi Exposing Industrial Systems to Remote Attacks
• Kaspersky Report: Energy Industry becomes the largest area affected by vulnerabilities in industrial automation systems
• Hacker can use Smartphone Apps to control industrial processes

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy