VDE-2025-079

Vulnerability from csaf_janitzaelectronicsgmbh - Published: 2026-03-10 07:00 - Updated: 2026-03-10 07:00
Summary
Janitza: Multiple vulnerabilities in UMG 96RM-E
Notes
Summary: An unauthenticated remote attacker can exploit several vulnerabilities in Janitza UMG 96RM-E devices to ultimately gain full system access and remote code execution.
Impact: These vulnerabilities in combination allow an unauthenticated remote attacker to fully compromise the system including remote code execution. Further details on each separate vulnerability can be found under vulnerability details.
Remediation: It is strongly advised to update to the newest version. The vulnerabilities are fixed in version 3.14.
CVE-2025-41709

An unauthenticated remote attacker can perform a command injection via Modbus-TCP or Modbus-RTU to gain read and write access on the affected device.

9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Vendor Fix It is strongly advised to update to the newest version. The vulnerabilities are fixed in version 3.14.
CVE-2025-41710

An unauthenticated remote attacker may use hardcodes credentials to get access to the previously activated FTP Server with limited read and write privileges.

6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE-798 - Use of Hard-coded Credentials
Vendor Fix It is strongly advised to update to the newest version. The vulnerabilities are fixed in version 3.14.
CVE-2025-41711

An unauthenticated remote attacker can use firmware images to extract password hashes and brute force plaintext passwords of accounts with limited access.

5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Vendor Fix It is strongly advised to update to the newest version. The vulnerabilities are fixed in version 3.14.
CVE-2025-41712

An unauthenticated remote attacker who tricks a user to upload a manipulated HTML file can get access to sensitive information on the device. This is a result of incorrect permission assignment for the web server.

6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE-732 - Incorrect Permission Assignment for Critical Resource
Vendor Fix It is strongly advised to update to the newest version. The vulnerabilities are fixed in version 3.14.
References
Acknowledgments
CERT@VDE certvde.com/en/
Deutsche Telekom Security (DT Security) github.security.telekom.com/
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "Coordination",
        "urls": [
          "https://certvde.com/en/"
        ]
      },
      {
        "organization": "Deutsche Telekom Security (DT Security)",
        "summary": "Reporting",
        "urls": [
          "https://github.security.telekom.com/"
        ]
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "An unauthenticated remote attacker can exploit several vulnerabilities in Janitza UMG 96RM-E devices to ultimately gain full system access and remote code execution.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "These vulnerabilities in combination allow an unauthenticated remote attacker to fully compromise the system including remote code execution. Further details on each separate vulnerability can be found under vulnerability details.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "It is strongly advised to update to the newest version. The vulnerabilities are fixed in version 3.14.",
        "title": "Remediation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "security@janitza.de",
      "name": "Janitza electronics GmbH",
      "namespace": "https://www.janitza.com"
    },
    "references": [
      {
        "category": "external",
        "summary": "Janitza PSIRT contact",
        "url": "https://www.janitza.com/de-de/service-support/security-issue-ticket"
      },
      {
        "category": "external",
        "summary": "Janitza advisory overview at CERT@VDE",
        "url": "https://certvde.com/de/advisories/vendor/janitza/"
      },
      {
        "category": "self",
        "summary": "VDE-2025-079: Janitza: Multiple vulnerabilities in UMG 96RM-E - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2025-079"
      },
      {
        "category": "self",
        "summary": "VDE-2025-079: Janitza: Multiple vulnerabilities in UMG 96RM-E - CSAF",
        "url": "https://janitza.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2025-079.json"
      },
      {
        "category": "external",
        "summary": "Telekom Security Advisory: Multiple vulnerabilities in Janitza UMG 96RM-E",
        "url": "https://github.security.telekom.com/2025/11/multiple-vulnerabilities-in-janitza-umg96rm-e.html"
      }
    ],
    "title": "Janitza: Multiple vulnerabilities in UMG 96RM-E",
    "tracking": {
      "aliases": [
        "VDE-2025-079"
      ],
      "current_release_date": "2026-03-10T07:00:00.000Z",
      "generator": {
        "date": "2026-03-09T12:49:32.090Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.44"
        }
      },
      "id": "VDE-2025-079",
      "initial_release_date": "2026-03-10T07:00:00.000Z",
      "revision_history": [
        {
          "date": "2026-03-10T07:00:00.000Z",
          "number": "1.0.0",
          "summary": "Initial Revision"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "UMG 96RM-E",
                "product": {
                  "name": "UMG 96RM-E 24V",
                  "product_id": "CSAFPID-11001",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:h:janitza:umg_96rm_e_24:*:*:*:*:*:*:*:*",
                    "model_numbers": [
                      "5222063"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "UMG 96RM-E",
                "product": {
                  "name": "UMG 96RM-E 230V",
                  "product_id": "CSAFPID-11002",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:h:janitza:umg_96rm_e_230:*:*:*:*:*:*:*:*",
                    "model_numbers": [
                      "5222062"
                    ]
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.13",
                "product": {
                  "name": "Firmware 3.13",
                  "product_id": "CSAFPID-21001",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:o:janitza:umg_96rm_e_firmware:3.13:*:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "3.14",
                "product": {
                  "name": "Firmware 3.14",
                  "product_id": "CSAFPID-21002",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:o:janitza:umg_96rm_e_firmware:3.14:*:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "vers:generic/\u003c=3.13",
                "product": {
                  "name": "Firmware \u003c=3.13",
                  "product_id": "CSAFPID-21003"
                }
              }
            ],
            "category": "product_family",
            "name": "Firmware"
          }
        ],
        "category": "vendor",
        "name": "Janitza"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004"
        ],
        "summary": "Affected products."
      },
      {
        "group_id": "CSAFGID-0002",
        "product_ids": [
          "CSAFPID-32001",
          "CSAFPID-32002"
        ],
        "summary": "Fixed products."
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 3.13 installed on UMG 96RM-E 24V",
          "product_id": "CSAFPID-31001",
          "product_identification_helper": {
            "cpe": "cpe:2.3:o:janitza:umg_96rm_e_24v_firmware:3.13:*:*:*:*:*:*:*"
          }
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 3.13 installed on UMG 96RM-E 230V",
          "product_id": "CSAFPID-31002",
          "product_identification_helper": {
            "cpe": "cpe:2.3:o:janitza:umg_96rm_e_230v_firmware:3.13:*:*:*:*:*:*:*"
          }
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 3.14 installed on UMG 96RM-E 24V",
          "product_id": "CSAFPID-32001",
          "product_identification_helper": {
            "cpe": "cpe:2.3:o:janitza:umg_96rm_e_24v_firmware:3.14:*:*:*:*:*:*:*"
          }
        },
        "product_reference": "CSAFPID-21002",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 3.14 installed on UMG 96RM-E 230V",
          "product_id": "CSAFPID-32002",
          "product_identification_helper": {
            "cpe": "cpe:2.3:o:janitza:umg_96rm_e_230v_firmware:3.14:*:*:*:*:*:*:*"
          }
        },
        "product_reference": "CSAFPID-21002",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=3.13 installed on UMG 96RM-E 24V",
          "product_id": "CSAFPID-31003",
          "product_identification_helper": {
            "cpe": "cpe:2.3:o:janitza:umg_96rm_e_24v_firmware:3.13:*:*:*:*:*:*:*"
          }
        },
        "product_reference": "CSAFPID-21003",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=3.13 installed on UMG 96RM-E 230V",
          "product_id": "CSAFPID-31004",
          "product_identification_helper": {
            "cpe": "cpe:2.3:o:janitza:umg_96rm_e_230v_firmware:3.13:*:*:*:*:*:*:*"
          }
        },
        "product_reference": "CSAFPID-21003",
        "relates_to_product_reference": "CSAFPID-11002"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-41709",
      "cwe": {
        "id": "CWE-78",
        "name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
      },
      "notes": [
        {
          "category": "description",
          "text": "An unauthenticated remote attacker can perform a command injection via Modbus-TCP or Modbus-RTU to gain read and write access on the affected device.",
          "title": "CVE Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "It is strongly advised to update to the newest version. The vulnerabilities are fixed in version 3.14.",
          "product_ids": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 9.8,
            "environmentalSeverity": "CRITICAL",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 9.8,
            "temporalSeverity": "CRITICAL",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004"
          ]
        }
      ],
      "title": "Command injection in power analyzer via Modbus-TCP and Modbus-RTU"
    },
    {
      "cve": "CVE-2025-41710",
      "cwe": {
        "id": "CWE-798",
        "name": "Use of Hard-coded Credentials"
      },
      "notes": [
        {
          "category": "description",
          "text": "An unauthenticated remote attacker may use hardcodes credentials to get access to the previously activated FTP Server with limited read and write privileges.",
          "title": "CVE Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "It is strongly advised to update to the newest version. The vulnerabilities are fixed in version 3.14.",
          "product_ids": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "environmentalScore": 6.5,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 6.5,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004"
          ]
        }
      ],
      "title": "Use of Hard-coded Credentials in power analyzer"
    },
    {
      "cve": "CVE-2025-41711",
      "cwe": {
        "id": "CWE-327",
        "name": "Use of a Broken or Risky Cryptographic Algorithm"
      },
      "notes": [
        {
          "category": "description",
          "text": "An unauthenticated remote attacker can use firmware images to extract password hashes and brute force plaintext passwords of accounts with limited access. ",
          "title": "CVE Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "It is strongly advised to update to the newest version. The vulnerabilities are fixed in version 3.14.",
          "product_ids": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "environmentalScore": 5.3,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 5.3,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004"
          ]
        }
      ],
      "title": "Use of a Broken or Risky Cryptographic Algorithm for firmware images of power analyzer"
    },
    {
      "cve": "CVE-2025-41712",
      "cwe": {
        "id": "CWE-732",
        "name": "Incorrect Permission Assignment for Critical Resource"
      },
      "notes": [
        {
          "category": "description",
          "text": "An unauthenticated remote attacker who tricks a user to upload a manipulated HTML file can get access to sensitive information on the device. This is a result of incorrect permission assignment for the web server.",
          "title": "CVE Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "It is strongly advised to update to the newest version. The vulnerabilities are fixed in version 3.14.",
          "product_ids": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 6.5,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 6.5,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004"
          ]
        }
      ],
      "title": "Incorrect Permission Assignment on power analyzer"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.