Automatic Windows User Login in Endress+Hauser Device
CVE-2025-27461

7.6HIGH

Key Information:

Vendor

Endress+hauser

Status
Endress+hauser Meac300-fnade4
Vendor
CVE Published:
3 July 2025

What is CVE-2025-27461?

A significant security concern exists in the EPC2 product from Endress+Hauser, where the device automatically logs into the Windows user account (EPC2) during startup, bypassing the password prompt. This flaw can expose systems to unauthorized access, thereby increasing the risk of data breaches and exploitation. Organizations are urged to investigate this vulnerability and implement appropriate security measures to mitigate potential risks.

Affected Version(s)

Endress+Hauser MEAC300-FNADE4 vers:all/*

References

https://www.endress.com
x_Endress+Hauser
https://sick.com/psirt
x_SICK PSIRT Security Advisories
https://www.cisa.gov/resources-tools/resources/ics-recomm...
x_ICS-CERT recommended practices on Industrial Security

CVSS V3.1

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Physical
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-27461 : Automatic Windows User Login in Endress+Hauser Device