Pilz: Multiple Vulnerabilities affecting the PIT User Authentication Service

Act Now7.5PPSA-2026-001Feb 2, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The PIT User Authentication Service (part of PITmode, the operating mode selection and access permission system) contains multiple vulnerabilities in third-party components. These vulnerabilities can be exploited remotely without authentication and may lead to denial of service or disruption of the authentication service.

What this means

What could happen

An attacker on the network could crash or degrade the PIT User Authentication Service, preventing access control functions and potentially disrupting authorized user authentication to safety or operating mode systems. The service is integral to PITmode access permissions, so unavailability could affect operation of protected systems.

Who's at risk

This affects users of Pilz PIT (Product Information Terminal) systems, particularly those using PITmode for access control and operating mode selection in manufacturing or safety-critical applications. The PIT User Authentication Service is the authentication backend for PITreader devices, so any facility relying on PITmode access permissions should assess exposure.

How it could be exploited

An attacker with network access to the PIT User Authentication Service could send crafted requests that trigger denial-of-service conditions or resource exhaustion in the third-party components embedded in the service. No authentication is required to initiate the attack.

Prerequisites

Network reachability to the PIT User Authentication Service over the network
The PIT User Authentication Service must be running an affected version (1.4.0 or earlier)

remotely exploitableno authentication requiredlow complexityaffects safety systems

Exploitability

High exploit probability (EPSS 20.3%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

PIT User Authentication Service <1.4.1< 1.4.1Fix available

PIT User Authentication Service 1.4.01.4.0Fix available

Remediation & Mitigation

0/3

Do now

0/2

WORKAROUNDRestrict network access to the PIT User Authentication Service and PITreader using firewall rules to allow only authorized machines and networks

HARDENINGDeploy a host-based firewall on systems running the PIT User Authentication Service to limit inbound network connections

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate PIT User Authentication Service to version 1.4.1 or later

CVEs (4)

CVE-2025-12383 CVE-2025-61795 CVE-2025-48988 CVE-2025-31650

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/bf550b6b-3a7b-4290-b10c-fb7bbeeca055