Pilz: Authentication Bypass and Cross-Site-Scripting in PiCtory

Plan PatchCVSS 9.8PPSA-2025-001Jun 30, 2025

PilzManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

PiCtory, the web configuration interface for Pilz IndustrialPI industrial PCs, contains two critical vulnerabilities: an authentication bypass flaw (CWE-305) that allows attackers to access the interface without valid credentials, and a cross-site-scripting vulnerability (CWE-97) enabling arbitrary code execution or credential theft. A third medium-severity reflected XSS vulnerability also affects the application. These flaws affect IndustrialPI 4 devices running PiCtory versions prior to 2.12.

What this means

What could happen

An attacker can bypass authentication to the PiCtory web interface and execute arbitrary code on the IndustrialPI device, allowing them to modify industrial process configurations or disable the control system. Cross-site scripting attacks could also be used to steal credentials from authorized operators.

Who's at risk

Organizations operating Pilz IndustrialPI 4 systems for industrial process control and automation, including manufacturing facilities using PiCtory for device configuration and maintenance. Technicians and engineers who use the web interface to manage device settings are at risk of credential theft or unauthorized system modifications.

How it could be exploited

An attacker with network access to the PiCtory web interface (port 80/443 by default) can send a crafted request to bypass authentication checks (CWE-305), gaining access without valid credentials. Once authenticated, the attacker can inject malicious scripts (CWE-97) to execute arbitrary code on the device or capture operator credentials.

Prerequisites

Network access to the IndustrialPI device on the web interface port (typically 80 or 443)
PiCtory version below 2.12 running on the device

remotely exploitableno authentication required for initial bypasslow complexity attackaffects industrial control devicehigh CVSS (9.8)

Exploitability

Some exploitation risk — EPSS score 2.4%

Affected products (1)

ProductAffected VersionsFix Status

Hardware IndustrialPI 4<2.122.12

Remediation & Mitigation

0/3

Do now

0/2

WORKAROUNDRestrict network access to the IndustrialPI web interface using a firewall to only allow connections from authorized engineering workstations or management networks

HARDENINGVerify the PiCtory version after patching using: dpkg -l | grep pictory

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate PiCtory to version 2.12 or later using the package manager: sudo apt update && sudo apt upgrade -y

CVEs (3)

CVE-2025-32011 CVE-2025-35996 CVE-2025-36558

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/52285512-46c9-4234-a870-6d4fff0391eb

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.