Pilz: Authentication Bypass and Cross-Site-Scripting in PiCtory

Act Now9.8PPSA-2025-001Jun 30, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

PiCtory, a web application for configuring the Pilz IndustrialPI industrial PC, contains three vulnerabilities: two critical authentication bypass and cross-site-scripting (XSS) flaws, and one medium-severity reflected XSS vulnerability. These allow unauthenticated remote attackers to bypass authentication controls and inject malicious scripts into the web interface.

What this means

What could happen

An attacker could bypass authentication on the PiCtory configuration interface and execute arbitrary commands on the IndustrialPI, potentially altering automation logic, stopping processes, or gaining control of connected production equipment. Malicious scripts could also be injected to steal credentials or redirect operators to fake login pages.

Who's at risk

Manufacturing organizations using Pilz IndustrialPI industrial PCs with PiCtory web-based configuration tools are affected. This includes facility automation managers, plant engineers, and system integrators who rely on PiCtory to configure automation controllers, safety systems, and process logic.

How it could be exploited

An attacker with network access to the IndustrialPI's web interface (port 80/443) can send a specially crafted request to bypass authentication controls without valid credentials. Once authenticated, the attacker can inject malicious JavaScript into the web application, which executes in the browser of any operator who views the affected page, allowing credential theft or further system compromise.

Prerequisites

Network access to the IndustrialPI web interface (port 80/443)
No valid credentials required for initial authentication bypass

remotely exploitableno authentication requiredlow complexityaffects critical configuration interfacehigh CVSS score (9.8)

Exploitability

Moderate exploit probability (EPSS 2.4%)

Affected products (1)

ProductAffected VersionsFix Status

Hardware IndustrialPI 4<2.122.12

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to the IndustrialPI using a firewall to allow only trusted engineering workstations and management networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate PiCtory package to version 2.12 or later using 'sudo apt update && sudo apt upgrade -y'

HARDENINGVerify PiCtory package version with 'dpkg -l | grep pictory' to confirm successful update

CVEs (3)

CVE-2025-32011 CVE-2025-35996 CVE-2025-36558

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/52285512-46c9-4234-a870-6d4fff0391eb