CVE-2025-41733
Published: 18 November 2025
Description
The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.
Mitigating Controls (NIST 800-53 r5)AI
Directly prohibits permitting sensitive actions like setting root credentials via the commissioning wizard without identification or authentication.
Requires validation of inputs to the commissioning wizard, including device initialization state, to block crafted POST requests from succeeding.
Enforces access authorizations on public web interfaces like the commissioning wizard to prevent unauthenticated remote exploitation.
Security SummaryAI
CVE-2025-41733 affects the commissioning wizard on vulnerable devices, where it fails to validate if the device is already initialized. This authentication bypass vulnerability, mapped to CWE-305, enables an unauthenticated remote attacker to construct POST requests that set root credentials. Published on 2025-11-18 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it poses a critical risk due to its network accessibility and lack of privileges or user interaction required.
An unauthenticated attacker with network access to the device can exploit this by sending crafted POST requests to the commissioning wizard interface. Exploitation grants root-level credentials, allowing full compromise of confidentiality, integrity, and availability on the target device.
Mitigation details are available in the CERT VDE advisory at https://certvde.com/de/advisories/VDE-2025-097.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote exploitation of a network-accessible commissioning wizard (public-facing application) via crafted POST requests to bypass authentication and set root credentials, enabling privilege escalation to root-level access.