Pilz: Missing Authentication in Node-RED integration

Plan PatchCVSS 10PPSA-2025-002Jul 1, 2025

PilzManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Authentication is not configured by default for the Node-RED server on the Pilz IndustrialPI industrial PC. An unauthenticated remote attacker can access the Node-RED server and run arbitrary operating system commands with privileged rights on the underlying system.

What this means

What could happen

An attacker on your network could remotely run commands on an IndustrialPI with full system privileges, allowing them to alter automation logic, stop processes, or disrupt operations without needing any credentials.

Who's at risk

Manufacturing operations using Pilz IndustrialPI industrial PCs for automation logic and process control. This affects any facility that relies on Node-RED running on IndustrialPI for orchestration of industrial processes.

How it could be exploited

An attacker sends HTTP requests directly to the Node-RED web interface on the IndustrialPI (default network reachability). Since authentication is disabled by default, the attacker gains immediate access to the Node-RED flow editor and can inject commands that execute as root on the operating system.

Prerequisites

Network reachability to the IndustrialPI on the Node-RED port (default port 1880)
IndustrialPI with Node-RED service enabled
No authentication mechanism configured (the default state)

remotely exploitableno authentication requiredlow complexityaffects safety systems and process controlCVSS 10 (critical)privileged command execution

Exploitability

Unlikely to be exploited — EPSS score 0.5%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (1)

ProductAffected VersionsFix Status

IndustrialPI 4≤ 2024-08Fix available

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGEnable and configure authentication for the Node-RED server by following the remediation steps in the Pilz Security Advisory PDF (available at www.pilz.com/downloads)

WORKAROUNDRestrict network access to the IndustrialPI Node-RED port using firewall rules to limit connections to trusted engineering networks only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate IndustrialPI to version 2024-09 or later when released by Pilz

CVEs (1)

CVE-2025-41656

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d6e5d756-712c-49c1-8d49-4e79f50b57e9

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.