Unsecured Node-RED Server Exposes Devices to Remote Command Execution by Unauthenticated Users
CVE-2025-41656

10CRITICAL

Key Information:

Vendor: Pilz
Status: Industrialpi 4 With Firmware Bullseye
Vendor: CVE Published:; 1 July 2025

What is CVE-2025-41656?

An unprotected Node-RED server permits unauthenticated remote attackers to execute arbitrary commands with elevated privileges. This glaring security misconfiguration means that without default authentication in place, attackers can gain high-level control over affected devices, leading to serious security breaches. Organizations using Node-RED should prioritize addressing this vulnerability by implementing proper authentication measures.

Affected Version(s)

IndustrialPI 4 with Firmware Bullseye 0 <= 2024-08

References

https://certvde.com/en/advisories/VDE-2025-045

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 1, 2025
Vulnerability Reserved
Apr 16, 2025

Pilz

What is CVE-2025-41656?

Affected Version(s)

References

CVSS V3.1

Timeline