Pilz: Authentication Bypass in IndustrialPI Webstatus

Plan PatchCVSS 9.8PPSA-2025-003Jul 1, 2025

PilzManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Pilz IndustrialPI 4 webstatus web application (versions below 2.4.6) contains an authentication bypass vulnerability that allows unauthenticated network access to the management interface. The webstatus application is responsible for monitoring and configuring industrial processes and is commonly integrated with PLCs and automated systems. An attacker can gain unauthorized access to this interface without credentials, potentially allowing manipulation of process setpoints, operational data, and system configuration. The vulnerability exists in CWE-704 (incorrect type conversion or cast) and carries a CVSS score of 9.8 (critical).

What this means

What could happen

An unauthenticated attacker on your network could bypass login on the IndustrialPI webstatus interface, gaining access to view and modify industrial process data and settings without credentials.

Who's at risk

Manufacturers and process facilities using Pilz IndustrialPI 4 industrial PCs for real-time process monitoring and control should be concerned. Any facility relying on the webstatus interface to manage PLCs, drive systems, or safety-critical equipment is at risk.

How it could be exploited

An attacker on the same network (or with network access to the IndustrialPI) can access the webstatus web interface on port 80/443 without providing valid credentials. Once authenticated, they could change process parameters, stop operations, or extract sensitive configuration data.

Prerequisites

Network access to the IndustrialPI webstatus web interface (typically port 80 or 443)
IndustrialPI version 4 below 2.4.6

remotely exploitableno authentication requiredlow complexityaffects industrial control systemscritical severity (CVSS 9.8)

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (1)

ProductAffected VersionsFix Status

IndustrialPI 4<2.4.62.4.6

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the IndustrialPI webstatus interface using firewall rules; limit access to only authorized engineering workstations or management networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate the webstatus package to version 2.4.6 using 'sudo apt update && sudo apt upgrade -y'

HOTFIXVerify the webstatus package version with 'dpkg -l | grep revpi-webstatus' to confirm the update was applied

Long-term hardening

0/1

HARDENINGSegment the IndustrialPI onto a separate industrial network with access controls from the broader facility network

CVEs (1)

CVE-2025-41648

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b5096630-4c1a-44e8-9ade-0afd89f8db07

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.