VDE-2025-052

Vulnerability from csaf_weidmuellerinterfacegmbhcokg - Published: 2025-06-11 10:00 - Updated: 2025-07-23 10:00
Summary
Weidmueller: Security routers IE-SR-2TX are affected by multiple vulnerabilities
Severity
High
Notes
Summary: Weidmueller security routers IE-SR-2TX are affected by multiple vulnerabilities (CVE-2025-41661, CVE-2025-41663, CVE-2025-41683, CVE-2025-41684, CVE-2025-41687). Weidmueller has released new firmware versions of the affected products to fix the vulnerabilities. **Update Version 1.1.0:** Added CVEs CVE-2025-41683, CVE-2025-41684 and CVE-2025-41687. Updated CVSS Score for CVE-2025-41663. Removed CVE-2025-41662.
General Recommendation: As a general security measure, Weidmueller strongly recommends to change the default passwords and to minimize the network exposure of products. Limit access to trusted networks by using the appropriate mechanisms.
Impact: Weidmueller security routers are vulnerable to multiple vulnerabilities, that may lead to execution of arbitrary commands on affected devices with root privileges. Further information can be found under vulnerability details.
Remediation: Update to the new version as listed in the following table: | Product | Affected Version | Fixed Version | |----------------------------------|------------------|---------------| |IE-SR-2TX-WL | <V1.49 | V1.49 | |IE-SR-2TX-WL-4G-EU | <V1.62 | V1.62 | |IE-SR-2TX-WL-4G-US-V | <V1.62 | V1.62 |
CVE-2025-41661

An unauthenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to lack of Cross-Site Request Forgery (CSRF) protection.

8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-352 - Cross-Site Request Forgery (CSRF)
Vendor Fix Update to version V1.49
Vendor Fix Update to version V1.62
CVE-2025-41683

An authenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to lack of improper sanitizing of user input in the Main Web Interface (endpoint event_mail_test).

8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Vendor Fix Update to version V1.49
Vendor Fix Update to version V1.62
CVE-2025-41684

An authenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to lack of improper sanitizing of user input in the Main Web Interface (endpoint tls_iotgen_setting).

8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Vendor Fix Update to version V1.49
Vendor Fix Update to version V1.62
CVE-2025-41663

For u-link Management API an unauthenticated remote attacker in a man-in-the-middle position can inject arbitrary commands in responses returned by WWH servers, which are then executed with elevated privileges. To get into such a position, clients would need to use insecure proxy configurations.

9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Vendor Fix Update to version V1.49
Vendor Fix Update to version V1.62
CVE-2025-41687

An unauthenticated remote attacker may use a stack based buffer overflow in the u-link Management API to gain full access on the affected devices.

9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-121 - Stack-based Buffer Overflow
Vendor Fix Update to version V1.49
Vendor Fix Update to version V1.62
References
Acknowledgments
CERT@VDE certvde.com
ONEKEY Research Labs onekey.com
Dragos Inc. Reid Wightman www.dragos.com
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      },
      {
        "organization": "ONEKEY Research Labs",
        "summary": "Coordinated Disclosure",
        "urls": [
          "https://onekey.com"
        ]
      },
      {
        "names": [
          "Reid Wightman "
        ],
        "organization": "Dragos Inc.",
        "summary": "in-depth review",
        "urls": [
          "https://www.dragos.com"
        ]
      }
    ],
    "aggregate_severity": {
      "namespace": "https://www.first.org/cvss/v3.1/specification-document",
      "text": "High"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "Weidmueller security routers IE-SR-2TX are affected by multiple vulnerabilities (CVE-2025-41661, CVE-2025-41663, CVE-2025-41683, CVE-2025-41684, CVE-2025-41687).\n\nWeidmueller has released new firmware versions of the affected products to fix the vulnerabilities.\n\n**Update Version 1.1.0:** Added CVEs CVE-2025-41683, CVE-2025-41684 and CVE-2025-41687.\nUpdated CVSS Score for CVE-2025-41663.\nRemoved CVE-2025-41662.",
        "title": "Summary"
      },
      {
        "category": "general",
        "text": "As a general security measure, Weidmueller strongly recommends to change the default passwords and to minimize the network exposure of products. Limit access to trusted networks by using the appropriate mechanisms.",
        "title": "General Recommendation"
      },
      {
        "category": "description",
        "text": "Weidmueller security routers are vulnerable to multiple vulnerabilities, that may lead to execution of arbitrary commands on affected devices with root privileges.\n\nFurther information can be found under vulnerability details.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "Update to the new version as listed in the following table:\n\n| Product                          | Affected Version | Fixed Version |\n|----------------------------------|------------------|---------------| \n|IE-SR-2TX-WL                      | \u003cV1.49           | V1.49         |\n|IE-SR-2TX-WL-4G-EU                | \u003cV1.62         | V1.62         |\n|IE-SR-2TX-WL-4G-US-V              | \u003cV1.62          | V1.62         |\n",
        "title": "Remediation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@weidmueller.com",
      "name": "Weidmueller Interface GmbH \u0026 Co. KG",
      "namespace": "https://www.weidmueller.com"
    },
    "references": [
      {
        "category": "external",
        "summary": "Weidmueller Security Advisory Board",
        "url": "https://support.weidmueller.com/support-center/popular-resources/security-advisory-board"
      },
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for Weidmueller",
        "url": "https://certvde.com/de/advisories/vendor/weidmueller/"
      },
      {
        "category": "self",
        "summary": "VDE-2025-052: Weidmueller: Security routers IE-SR-2TX are affected by multiple vulnerabilities - HTML",
        "url": "https://certvde.com/de/advisories/VDE-2025-052"
      },
      {
        "category": "self",
        "summary": "VDE-2025-052: Weidmueller: Security routers IE-SR-2TX are affected by multiple vulnerabilities - CSAF",
        "url": "https://weidmueller.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-052.json"
      }
    ],
    "title": "Weidmueller: Security routers IE-SR-2TX are affected by multiple vulnerabilities",
    "tracking": {
      "aliases": [
        "VDE-2025-052",
        "WMSA-2500004"
      ],
      "current_release_date": "2025-07-23T10:00:00.000Z",
      "generator": {
        "date": "2025-07-22T11:20:26.072Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.30"
        }
      },
      "id": "VDE-2025-052",
      "initial_release_date": "2025-06-11T10:00:00.000Z",
      "revision_history": [
        {
          "date": "2025-06-11T10:00:00.000Z",
          "number": "1.0.0",
          "summary": "Initial version"
        },
        {
          "date": "2025-07-23T10:00:00.000Z",
          "number": "1.1.0",
          "summary": "Added CVEs CVE-2025-41683, CVE-2025-41684 and CVE-2025-41687.\nUpdated CVSS Score for CVE-2025-41663.\nRemoved CVE-2025-41662."
        }
      ],
      "status": "final",
      "version": "1.1.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "IE-SR-2TX-WL",
                "product": {
                  "name": "IE-SR-2TX-WL",
                  "product_id": "CSAFPID-0001",
                  "product_identification_helper": {
                    "model_numbers": [
                      "2682590000"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "IE-SR-2TX-WL-4G-EU",
                "product": {
                  "name": "IE-SR-2TX-WL-4G-EU",
                  "product_id": "CSAFPID-0002",
                  "product_identification_helper": {
                    "model_numbers": [
                      "2682560000"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "IE-SR-2TX-WL-4G-US-V",
                "product": {
                  "name": "IE-SR-2TX-WL-4G-US-V",
                  "product_id": "CSAFPID-0003",
                  "product_identification_helper": {
                    "model_numbers": [
                      "2682580000"
                    ]
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cV1.49",
                "product": {
                  "name": "Firmware \u003cV1.49",
                  "product_id": "CSAFPID-21001"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cV1.62",
                "product": {
                  "name": "Firmware \u003cV1.62",
                  "product_id": "CSAFPID-21002"
                }
              },
              {
                "category": "product_version",
                "name": "V1.49",
                "product": {
                  "name": "Firmware V1.49",
                  "product_id": "CSAFPID-22001"
                }
              },
              {
                "category": "product_version",
                "name": "V1.62",
                "product": {
                  "name": "Firmware V1.62",
                  "product_id": "CSAFPID-22002"
                }
              }
            ],
            "category": "product_family",
            "name": "Firmware"
          }
        ],
        "category": "vendor",
        "name": "Weidm\u00fcller"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003"
        ],
        "summary": "Affected products."
      },
      {
        "group_id": "CSAFGID-0002",
        "product_ids": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003"
        ],
        "summary": "Fixed products."
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003cV1.49 installed on IE-SR-2TX-WL",
          "product_id": "CSAFPID-31001"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-0001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003cV1.62 installed on IE-SR-2TX-WL-4G-EU",
          "product_id": "CSAFPID-31002"
        },
        "product_reference": "CSAFPID-21002",
        "relates_to_product_reference": "CSAFPID-0002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003cV1.62 installed on IE-SR-2TX-WL-4G-US-V",
          "product_id": "CSAFPID-31003"
        },
        "product_reference": "CSAFPID-21002",
        "relates_to_product_reference": "CSAFPID-0003"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware V1.49 installed on IE-SR-2TX-WL",
          "product_id": "CSAFPID-32001"
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-0001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware V1.62 installed on IE-SR-2TX-WL-4G-EU",
          "product_id": "CSAFPID-32002"
        },
        "product_reference": "CSAFPID-22002",
        "relates_to_product_reference": "CSAFPID-0002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware V1.62 installed on IE-SR-2TX-WL-4G-US-V",
          "product_id": "CSAFPID-32003"
        },
        "product_reference": "CSAFPID-22002",
        "relates_to_product_reference": "CSAFPID-0003"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-41661",
      "cwe": {
        "id": "CWE-352",
        "name": "Cross-Site Request Forgery (CSRF)"
      },
      "notes": [
        {
          "category": "description",
          "text": "An unauthenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to lack of Cross-Site Request Forgery (CSRF) protection.",
          "title": "Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-05-27T15:00:00.000Z",
          "details": "Update to version V1.49",
          "product_ids": [
            "CSAFPID-31001"
          ]
        },
        {
          "category": "vendor_fix",
          "date": "2025-05-27T15:00:00.000Z",
          "details": "Update to version V1.62",
          "product_ids": [
            "CSAFPID-31002",
            "CSAFPID-31003"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 8.8,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 8.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003"
          ]
        }
      ],
      "title": "CVE-2025-41661"
    },
    {
      "cve": "CVE-2025-41683",
      "cwe": {
        "id": "CWE-78",
        "name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
      },
      "notes": [
        {
          "category": "description",
          "text": "An authenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to lack of improper sanitizing of user input in the Main Web Interface (endpoint event_mail_test).",
          "title": "Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-05-27T15:00:00.000Z",
          "details": "Update to version V1.49",
          "product_ids": [
            "CSAFPID-31001"
          ]
        },
        {
          "category": "vendor_fix",
          "date": "2025-05-27T15:00:00.000Z",
          "details": "Update to version V1.62",
          "product_ids": [
            "CSAFPID-31002",
            "CSAFPID-31003"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 8.8,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 8.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003"
          ]
        }
      ],
      "title": "CVE-2025-41683"
    },
    {
      "cve": "CVE-2025-41684",
      "cwe": {
        "id": "CWE-78",
        "name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
      },
      "notes": [
        {
          "category": "description",
          "text": "An authenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to lack of improper sanitizing of user input in the Main Web Interface (endpoint tls_iotgen_setting).",
          "title": "Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-05-27T15:00:00.000Z",
          "details": "Update to version V1.49",
          "product_ids": [
            "CSAFPID-31001"
          ]
        },
        {
          "category": "vendor_fix",
          "date": "2025-05-27T15:00:00.000Z",
          "details": "Update to version V1.62",
          "product_ids": [
            "CSAFPID-31002",
            "CSAFPID-31003"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 8.8,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 8.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003"
          ]
        }
      ],
      "title": "CVE-2025-41684"
    },
    {
      "cve": "CVE-2025-41663",
      "cwe": {
        "id": "CWE-78",
        "name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
      },
      "notes": [
        {
          "category": "description",
          "text": "For u-link Management API an unauthenticated remote attacker in a man-in-the-middle position can inject arbitrary commands in responses returned by WWH servers, which are then executed with elevated privileges. To get into such a position, clients would need to use insecure proxy configurations.\n",
          "title": "Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-05-27T15:00:00.000Z",
          "details": "Update to version V1.49",
          "product_ids": [
            "CSAFPID-31001"
          ]
        },
        {
          "category": "vendor_fix",
          "date": "2025-05-27T15:00:00.000Z",
          "details": "Update to version V1.62",
          "product_ids": [
            "CSAFPID-31002",
            "CSAFPID-31003"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 9.8,
            "environmentalSeverity": "CRITICAL",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 9.8,
            "temporalSeverity": "CRITICAL",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003"
          ]
        }
      ],
      "title": "CVE-2025-41663"
    },
    {
      "cve": "CVE-2025-41687",
      "cwe": {
        "id": "CWE-121",
        "name": "Stack-based Buffer Overflow"
      },
      "notes": [
        {
          "category": "description",
          "text": "An unauthenticated remote attacker may use a stack based buffer overflow in the u-link Management API to gain full access on the affected devices.",
          "title": "Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-05-27T15:00:00.000Z",
          "details": "Update to version V1.49",
          "product_ids": [
            "CSAFPID-31001"
          ]
        },
        {
          "category": "vendor_fix",
          "date": "2025-05-27T15:00:00.000Z",
          "details": "Update to version V1.62",
          "product_ids": [
            "CSAFPID-31002",
            "CSAFPID-31003"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 9.8,
            "environmentalSeverity": "CRITICAL",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 9.8,
            "temporalSeverity": "CRITICAL",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003"
          ]
        }
      ],
      "title": "CVE-2025-41687"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.