Pilz: Multiple Vulnerabilities affecting the PIT User Authentication Service

MonitorCVSS 7.5PPSA-2026-001Feb 2, 2026

Pilz

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

PIT User Authentication Service, which is part of the PITmode operating mode selection and access permission system, contains multiple vulnerabilities in third-party components. These flaws include race conditions (CWE-362), missing error handling (CWE-404), resource exhaustion (CWE-770), and missing initialization (CWE-459). Affected versions are prior to 1.4.1. The vulnerabilities allow remote denial of service with no authentication required.

What this means

What could happen

An attacker on the network could cause a denial-of-service condition affecting the PIT User Authentication Service, which controls access permissions to the PITmode operating mode selection system. This could prevent authorized users from authenticating or switching operating modes on industrial equipment.

Who's at risk

Water and electric utilities using Pilz PITmode access control systems, particularly those with PIT User Authentication Service and PITreader devices on networked control systems. This affects anyone relying on Pilz authentication for operating mode selection on their automation equipment.

How it could be exploited

An attacker with network access to the PIT User Authentication Service can send crafted requests that trigger one of multiple flaws in third-party components (race conditions, missing input validation, or resource exhaustion). This causes the authentication service to become unavailable, blocking legitimate access control operations.

Prerequisites

Network access to PIT User Authentication Service (typically port 8080 or similar, depends on deployment)
No authentication required for exploitation

remotely exploitableno authentication requiredlow complexityhigh EPSS score (9.6%)

Exploitability

Some exploitation risk — EPSS score 9.6%

Public Proof-of-Concept (PoC) on GitHub (8 repositories)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

PIT User Authentication Service <1.4.1< 1.4.1Fix available

PIT User Authentication Service 1.4.01.4.0Fix available

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to PIT User Authentication Service using firewall rules to allow only trusted systems that require authentication access

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate PIT User Authentication Service to version 1.4.1 or later

Long-term hardening

0/1

HARDENINGRestrict network access to PITreader devices using host-based firewall or network segmentation

CVEs (4)

CVE-2025-61795 CVE-2025-31650 CVE-2025-12383 CVE-2025-48988

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/bf550b6b-3a7b-4290-b10c-fb7bbeeca055

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.