Viessmann Vitogate 300

Plan PatchCVSS 8.8ICS-CERT ICSA-25-266-04Sep 23, 2025

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Vitogate 300 versions before 3.1.0.1 contain command injection and OS command manipulation vulnerabilities (CWE-78, CWE-602) that allow an attacker on the local network segment to modify OS commands sent to downstream heating control components or cause unexpected client-server interactions. These vulnerabilities are not remotely exploitable over the internet but require network access on the same segment as the gateway.

What this means

What could happen

An attacker with network access to Vitogate 300 could modify OS commands sent to downstream devices, potentially altering heating system configuration or disabling safety controls. This could cause unexpected system behavior or allow manipulation of building climate or hot water operation.

Who's at risk

Building automation and heating system operators using Viessmann Vitogate 300 gateways, which are commonly deployed to manage boilers, heat pumps, and climate control systems in commercial and residential buildings. Facility managers and building engineers who rely on these systems for heating and hot water operation are affected.

How it could be exploited

An attacker on the same network segment as Vitogate 300 could intercept or modify command traffic between the gateway and connected downstream components (boilers, controllers). By altering OS commands before they reach the device, the attacker could change setpoints, disable monitoring, or cause the system to operate unsafely.

Prerequisites

Network access to Vitogate 300 on the same local network segment (not remotely exploitable over the internet)
No authentication required to exploit the command modification vulnerability
Ability to intercept or influence traffic between the gateway and downstream devices

Low network complexity to exploitNo authentication requiredAffects heating and safety system controlHigh CVSS score (8.8)

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

Vitogate 300: <3.1.0.1<3.1.0.13.1.0.1

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGImplement firewall rules to block all inbound network access to Vitogate 300 from untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Vitogate 300 to firmware version 3.1.0.1 or newer

Long-term hardening

0/1

HARDENINGIsolate Vitogate 300 and connected heating system devices on a separate network segment from business/IT networks and the internet

CVEs (2)

CVE-2025-9494 CVE-2025-9495

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a69df456-1b46-4f83-aef5-23feba0b4a8d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.