#VU112894 Incorrect Implementation of Authentication Algorithm in Revolution Pi Webstatus and Revolution Pi OS Bullseye - CVE-2025-41646


Vulnerability identifier: #VU112894

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2025-41646

CWE-ID: CWE-303

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Revolution Pi Webstatus
Other software / Other software solutions
Revolution Pi OS Bullseye
Other software / Other software solutions

Vendor: Kunbus

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to implicit type conversion within the password check. A remote attacker can bypass authentication on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Revolution Pi Webstatus: - - 2.4.5

Revolution Pi OS Bullseye: All versions

External links
https://psirt.kunbus.com/.well-known/csaf/white/2025/kunbus-2025-0000003.json
https://www.kunbus.com/en/productsecurity/Kunbus-2025-0000003
https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-09

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Incorrect Implementation of Authentication Algorithm in KUNBUS RevPi Webstatus