Pilz: Missing Authentication in Node-RED integration

Act Now10PPSA-2025-002Jul 1, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Pilz IndustrialPI 4 has Node-RED authentication disabled by default. An unauthenticated remote attacker with network access to the Node-RED server can execute arbitrary operating system commands with privileged rights on the device. This allows complete compromise of the industrial PC and any processes it controls.

What this means

What could happen

An attacker with network access to an unprotected IndustrialPI can run arbitrary commands with system privileges, potentially stopping production, altering automation logic, or sabotaging safety-critical processes.

Who's at risk

Pilz IndustrialPI industrial PC users in manufacturing environments who use automation or process control workflows. This affects any facility relying on IndustrialPI for control logic, data acquisition, or process orchestration where Node-RED is exposed to the network.

How it could be exploited

An attacker connects to the Node-RED server port on the IndustrialPI over the network. Since authentication is disabled by default, the attacker immediately gains access to the Node-RED interface and can execute arbitrary operating system commands with elevated privileges on the underlying system.

Prerequisites

Network access to the Node-RED server port on IndustrialPI (default configuration)
No authentication credentials required
Node-RED service must be enabled on the device

remotely exploitableno authentication requiredlow complexityaffects safety systemshigh CVSS scorefull system command execution as privileged user

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

IndustrialPI 4≤ 2024-08Fix available

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGEnable Node-RED authentication by configuring credentials through the IndustrialPI web application, following the remediation PDF provided by Pilz

WORKAROUNDRestrict network access to the Node-RED service port using firewall rules; allow only trusted engineering workstations or management networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGCheck if Node-RED is required for your operation; if not, disable the Node-RED service entirely

CVEs (1)

CVE-2025-41656

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d6e5d756-712c-49c1-8d49-4e79f50b57e9