Remote Code Execution Vulnerability in Wattsense Bridge Devices
CVE-2025-26411

8.8HIGH

Key Information:

Vendor: Wattsense
Status: Wattsense Bridge
Vendor: CVE Published:; 11 February 2025

Summary

An authentication bypass vulnerability exists in the Wattsense Bridge devices, which allows an authenticated attacker to exploit the Plugin Manager functionality. By uploading malicious Python files, the attacker can gain remote root access. This security flaw necessitates that the attacker possess valid user credentials for the Wattsense web interface, making it essential for users to upgrade to firmware version BSP >= 6.1.0 to mitigate potential threats.

Affected Version(s)

Wattsense Bridge 0 < 6.1.0

References

https://r.sec-consult.com/wattsense

third-party-advisory

https://support.wattsense.com/hc/en-150/articles/13366066...

release-notes

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 11, 2025
Vulnerability Reserved
Feb 10, 2025

Credit

Constantin Schieber-Knöbl | SEC Consult Vulnerability Lab

Stefan Schweighofer | SEC Consult Vulnerability Lab

Steffen Robertz | SEC Consult Vulnerability Lab