VDE-2025-086
Vulnerability from csaf_jumogmbhcokg - Published: 2025-11-10 11:00 - Updated: 2025-11-10 11:00Summary
Jumo: Predictable debug-interface password in variTRON series
Severity
High
Notes
Summary: A vulnerability was identified in the variTRON password generation algorithm of the debug-interface. The PRNG is initialized with the current Unix Timestamp, thus the resulting password is predictable.
With the password root-access to the UART and ssh Interface can be gained.
The impact is limited, since the debug-interface has to be actively enabled by an authorized user and will be deactivated automatically after the next reboot of the device.
Impact: Unauthorized root-access to the UART and ssh Interface.
Remediation: Update the affected products to version 9.0.2.5.
Mitigation: Disable the debug-interface to prevent unauthorized root-access to the UART and ssh Interface.
A vulnerability was identified in the password generation algorithm when accessing the debug-interface. An unauthenticated local attacker with knowledge of the password generation timeframe might be able to brute force the password in a timely manner and thus gain root access to the device if the debug interface is still enabled.
7.4 (High)
Vendor Fix
Update the affected products to version 9.0.2.5.
Mitigation
Disable the debug interface to prevent unauthorized root-access to the ssh Interface. The debug interface of the ssh is deactivated after rebooting the system.
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — |
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — |
References
5 references
| URL | Category |
|---|---|
| https://www.jumo.de | external |
| https://certvde.com/de/advisories/vendor/jumo/ | external |
| https://certvde.com/en/advisories/VDE-2025-086 | self |
| https://jumo.csaf-tp.certvde.com/.well-known/csaf… | self |
| https://certvde.com/en/advisories/VDE-2025-015/ | external |
Acknowledgments
CERT@VDE
certvde.com
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
}
],
"aggregate_severity": {
"namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
"text": "High"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "A vulnerability was identified in the variTRON password generation algorithm of the debug-interface. The PRNG is initialized with the current Unix Timestamp, thus the resulting password is predictable.\nWith the password root-access to the UART and ssh Interface can be gained.\nThe impact is limited, since the debug-interface has to be actively enabled by an authorized user and will be deactivated automatically after the next reboot of the device.",
"title": "Summary"
},
{
"category": "description",
"text": "Unauthorized root-access to the UART and ssh Interface.",
"title": "Impact"
},
{
"category": "description",
"text": "Update the affected products to version 9.0.2.5. ",
"title": "Remediation"
},
{
"category": "description",
"text": "Disable the debug-interface to prevent unauthorized root-access to the UART and ssh Interface.",
"title": "Mitigation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@jumo.net",
"name": "JUMO GmbH \u0026 Co. KG",
"namespace": "https://www.jumo.de"
},
"references": [
{
"category": "external",
"summary": "Jumo PSIRT",
"url": "https://www.jumo.de"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for Jumo",
"url": "https://certvde.com/de/advisories/vendor/jumo/"
},
{
"category": "self",
"summary": "VDE-2025-086: Jumo: Predictable debug-interface password in variTRON series - HTML",
"url": "https://certvde.com/en/advisories/VDE-2025-086"
},
{
"category": "self",
"summary": "VDE-2025-086: Jumo: Predictable debug-interface password in variTRON series - CSAF",
"url": "https://jumo.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-086.json"
}
],
"title": "Jumo: Predictable debug-interface password in variTRON series",
"tracking": {
"aliases": [
"VDE-2025-086"
],
"current_release_date": "2025-11-10T11:00:00.000Z",
"generator": {
"date": "2025-11-04T13:31:42.418Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.38"
}
},
"id": "VDE-2025-086",
"initial_release_date": "2025-11-10T11:00:00.000Z",
"revision_history": [
{
"date": "2025-11-10T11:00:00.000Z",
"number": "1.0.0",
"summary": "Release version."
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "variTRON300",
"product": {
"name": "variTRON300",
"product_id": "CSAFPID-11001"
}
},
{
"category": "product_name",
"name": " variTRON500",
"product": {
"name": "variTRON500",
"product_id": "CSAFPID-11002"
}
},
{
"category": "host_name",
"name": "variTRON500 touch",
"product": {
"name": "variTRON500 touch",
"product_id": "CSAFPID-11003"
}
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c9.0.2.5. ",
"product": {
"name": "Firmware \u003c9.0.2.5. ",
"product_id": "CSAFPID-21001"
}
},
{
"category": "product_version",
"name": "9.0.2.5. ",
"product": {
"name": "Firmware 9.0.2.5. ",
"product_id": "CSAFPID-22001"
}
}
],
"category": "product_family",
"name": "Firmware"
}
],
"category": "vendor",
"name": "Jumo"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
],
"summary": "Affected products."
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"summary": "Fixed products."
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c9.0.2.5. installed on variTRON300",
"product_id": "CSAFPID-31001"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c9.0.2.5. installed on variTRON500",
"product_id": "CSAFPID-31002"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c9.0.2.5. installed on variTRON500 touch",
"product_id": "CSAFPID-31003"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 9.0.2.5. installed on variTRON300",
"product_id": "CSAFPID-32001"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 9.0.2.5. installed on variTRON500",
"product_id": "CSAFPID-32002"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 9.0.2.5. installed on variTRON500 touch",
"product_id": "CSAFPID-32003"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11003"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-41731",
"cwe": {
"id": "CWE-338",
"name": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)"
},
"notes": [
{
"category": "description",
"text": "A vulnerability was identified in the password generation algorithm when accessing the debug-interface. An unauthenticated local attacker with knowledge of the password generation timeframe might be able to brute force the password in a timely manner and thus gain root access to the device if the debug interface is still enabled.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
},
"references": [
{
"category": "external",
"summary": "Advisory: VDE-2025-015",
"url": "https://certvde.com/en/advisories/VDE-2025-015/"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Update the affected products to version 9.0.2.5. ",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "mitigation",
"details": "Disable the debug interface to prevent unauthorized root-access to the ssh Interface. The debug interface of the ssh is deactivated after rebooting the system.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.4,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.4,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003"
]
}
],
"title": "Jumo: Insufficient entropy in PRNG may lead to root access"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…