heise PlusAbo
Anzeige

Kunbus RevolutionPi: CISA warning about security vulnerabilities

Several gaps affect PiCtory, a web application for configuring the mini industrial systems. Kunbus has published patches and its own warning messages.

listen Print view
Devices from the "Revolution Pi" series from Kunbus

Devices from the "Revolution Pi" series and their peripherals are suitable for top-hat rail mounting.

(Image: Kunbus)

3 min. read
Security
By

The US cyber security authority CISA warns of several security vulnerabilities in ICS systems (Industrial Control Systems) from the German manufacturer Kunbus. PiCtory, the web application for configuring the "Revolution Pi" series of mini industrial computers and the operating system image lacked authentication in several places, opening the door to attackers. PiCtory was also sloppy when checking input data.

The CISA warning covers four vulnerabilities:

  • The "perfect CVSS score" of 10.0 (severity "critical") is given to the missing authentication for the Node-RED server included in Revolution Pi OS (CVE-2025-24522, EUVD-2025-13263)
  • A gap that can bypass authentication in PiCtory versions between 2.5.0 and 2.11.1 via "path traversal", i.e. the clever manipulation of URL paths, still scores 9.8 points (CVE-2025-32011, EUVD-2025-13269, severity "critical")
  • Attackers who log on to a PiCtory instance with version 2.11.1 or older (e.g. via one of the previous vulnerabilities) can inject script code into legitimate users via the file name of a configuration file (stored cross-site scripting). The vulnerability is "critical" with a CVSS score of 9.0 and has the identifiers CVE-2025-35996 and EUVD-2025-13257
  • If the attacker injects a legitimate PiCtory user with a prepared URL containing script code, this is executed by the victim's browser (Reflected Cross-Site Scripting). The vulnerability with the CVE ID CVE-2025-36558 and EUVD-2025-13267 has a CVSS value of 6.1/10 and is therefore of medium severity. All PiCtory versions up to 2.11.1 are affected.

Videos by heise

Kunbus repairs promptly, CISA warns late

Manufacturer Kunbus reacted to the vulnerabilities reported by an external security researcher at the beginning of April and repaired some of them via a package update. Both XXS vulnerabilities and the critical path manipulation vulnerability have been fixed in PiCtory 2.12, as Kunbus writes in a security advisory.

However, a new operating system image that corrects the missing authentication of the Node-RED server is not yet available at the beginning of May 2025. When asked by heise security, Kunbus spokesperson Ekkehard Krebs explained: "A final solution to the problem (including a new rights management for Node-RED) will be provided together with the update of our OS image scheduled for next week." Until then, administrators should make the necessary configuration adjustments themselves – Kunbus provides instructions in the Security Advisory.

It is unclear why CISA felt compelled to issue a warning at the beginning of May, i.e. one month after Kunbus published the security advisories. According to the authority, it is not aware of the vulnerabilities being actively exploited to take over or damage devices.

(cku)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten