Pilz IndustrialPI 4 Alert: Critical Flaws (CVE-2025-41656 CVSS 10.0 RCE, CVE-2025-41648 Auth Bypass) Expose Industrial PCs

Two critical vulnerabilities recently disclosed by CERT@VDE, in coordination with industrial automation company Pilz, highlight a sobering reality: even industry-grade systems meant to power factories and automation lines can ship with glaring security gaps. The affected product, Pilz IndustrialPI 4, is marketed as a robust industrial PC—yet these flaws demonstrate how default misconfigurations and missing protections can render such devices dangerously exposed.

The first vulnerability, CVE-2025-41648, allows an unauthenticated remote attacker to completely bypass the web login interface of affected IndustrialPI systems.

“An attacker can bypass the login to the web application making it possible to access and maliciously change all available settings of the IndustrialPI,” according to the advisory.

This flaw affects IndustrialPI 4 devices running webstatus versions prior to 2.4.6. A successful exploit grants full control of configuration settings, allowing attackers to tamper with system parameters, disable services, or reconfigure the device to act maliciously within an industrial environment.

The second vulnerability, tracked as CVE-2025-41656, has a CVSS score of 10. In installations running Firmware Bullseye (≤ 2024-08), the Node-RED service is left exposed without authentication enabled by default.

“An unauthenticated remote attacker has full access to the Node-RED server and can run arbitrary operating system commands on the underlying operating system with privileged rights,” the advisory warns.

Node-RED, a flow-based development tool often used to control industrial processes, allows attackers to create and manipulate flows—including code blocks that execute system commands.

“Flows can contain code blocks where commands are executed on the IndustrialPI itself,” the advisory explains. “An attacker can use these code blocks to run any command as a privileged user on the IndustrialPI.”

This vulnerability enables unauthenticated remote command execution with root privileges—a worst-case scenario for any internet-connected industrial control system.

Pilz and CERT@VDE recommend urgent action:

For CVE-2025-41648:

• Update the revpi-webstatus package to version 2.4.6 using the standard apt update process: sudo apt update && sudo apt upgrade -y
• Verify the installed version: dpkg -l | grep revpi-webstatus
• Limit network access to the device using firewalls or network segmentation.

For CVE-2025-41656:

• Enable Node-RED authentication using Pilz’s remediation guide (available via their support portal).
• Ensure the Node-RED service is enabled via the web interface before configuring auth.
• As with the first vulnerability, restrict network access to trusted segments.

Related Posts:

• CVE-2025-3200: Wiesemann & Theis Com-Server Devices Exposed by Deprecated TLS Protocols
• Kaspersky Report: Energy Industry becomes the largest area affected by vulnerabilities in industrial automation systems
• Hacker can use Smartphone Apps to control industrial processes
• Positive Technologies: “73 percent of industrial organizations’ networks are vulnerable to hackers”