Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    24 vulnerabilities found for ctrlX OS - Device Admin by Bosch Rexroth AG

    CVE-2025-27532 (GCVE-0-2025-27532)

    Vulnerability from nvd – Published: 2025-04-30 11:49 – Updated: 2025-04-30 14:08
    VLAI
    Summary
    A vulnerability in the “Backup & Restore” functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to access secret information via multiple crafted HTTP requests.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-312 - Cleartext Storage of Sensitive Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch Rexroth AG ctrlX OS - Device Admin Affected: 1.12.0 , ≤ 1.12.9 (custom)
    Affected: 1.20.0 , ≤ 1.20.7 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-27532",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T14:07:36.369370Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T14:08:31.240Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ctrlX OS - Device Admin",
              "vendor": "Bosch Rexroth AG",
              "versions": [
                {
                  "lessThanOrEqual": "1.12.9",
                  "status": "affected",
                  "version": "1.12.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.20.7",
                  "status": "affected",
                  "version": "1.20.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the \u201cBackup \u0026 Restore\u201d functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to access secret information via multiple crafted HTTP requests."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-312",
                  "description": "CWE-312 Cleartext Storage of Sensitive Information",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-30T11:49:02.687Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2025-27532",
        "datePublished": "2025-04-30T11:49:02.687Z",
        "dateReserved": "2025-02-28T12:47:36.247Z",
        "dateUpdated": "2025-04-30T14:08:31.240Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-24351 (GCVE-0-2025-24351)

    Vulnerability from nvd – Published: 2025-04-30 11:47 – Updated: 2026-02-26 18:27
    VLAI
    Summary
    A vulnerability in the “Remote Logging” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to execute arbitrary OS commands in the context of user “root” via a crafted HTTP request.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch Rexroth AG ctrlX OS - Device Admin Affected: 1.20.0 , ≤ 1.20.7 (custom)
    Affected: 2.6.0 , ≤ 2.6.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24351",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-01T03:55:12.845453Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T18:27:53.157Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ctrlX OS - Device Admin",
              "vendor": "Bosch Rexroth AG",
              "versions": [
                {
                  "lessThanOrEqual": "1.20.7",
                  "status": "affected",
                  "version": "1.20.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2.6.8",
                  "status": "affected",
                  "version": "2.6.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the \u201cRemote Logging\u201d functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to execute arbitrary OS commands in the context of user \u201croot\u201d via a crafted HTTP request."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-30T11:47:00.441Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2025-24351",
        "datePublished": "2025-04-30T11:47:00.441Z",
        "dateReserved": "2025-01-20T15:09:10.534Z",
        "dateUpdated": "2026-02-26T18:27:53.157Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-24350 (GCVE-0-2025-24350)

    Vulnerability from nvd – Published: 2025-04-30 11:45 – Updated: 2025-04-30 14:23
    VLAI
    Summary
    A vulnerability in the “Certificates and Keys” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to write arbitrary certificates in arbitrary file system paths via a crafted HTTP request.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-23 - Relative Path Traversal
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch Rexroth AG ctrlX OS - Device Admin Affected: 1.12.0 , ≤ 1.12.9 (custom)
    Affected: 1.20.0 , ≤ 1.20.7 (custom)
    Affected: 2.6.0 , ≤ 2.6.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24350",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T14:19:36.466932Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T14:23:43.476Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ctrlX OS - Device Admin",
              "vendor": "Bosch Rexroth AG",
              "versions": [
                {
                  "lessThanOrEqual": "1.12.9",
                  "status": "affected",
                  "version": "1.12.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.20.7",
                  "status": "affected",
                  "version": "1.20.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2.6.8",
                  "status": "affected",
                  "version": "2.6.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the \u201cCertificates and Keys\u201d functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to write arbitrary certificates in arbitrary file system paths via a crafted HTTP request."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "CWE-23 Relative Path Traversal",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-30T11:45:52.088Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2025-24350",
        "datePublished": "2025-04-30T11:45:52.088Z",
        "dateReserved": "2025-01-20T15:09:10.534Z",
        "dateUpdated": "2025-04-30T14:23:43.476Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-24349 (GCVE-0-2025-24349)

    Vulnerability from nvd – Published: 2025-04-30 11:44 – Updated: 2025-04-30 14:30
    VLAI
    Summary
    A vulnerability in the “Network Interfaces” functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to delete the configuration of physical network interfaces via a crafted HTTP request.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-183 - Permissive List of Allowed Inputs
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch Rexroth AG ctrlX OS - Device Admin Affected: 1.12.0 , ≤ 1.12.9 (custom)
    Affected: 1.20.0 , ≤ 1.20.7 (custom)
    Affected: 2.6.0 , ≤ 2.6.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24349",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T14:30:15.140761Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T14:30:33.942Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ctrlX OS - Device Admin",
              "vendor": "Bosch Rexroth AG",
              "versions": [
                {
                  "lessThanOrEqual": "1.12.9",
                  "status": "affected",
                  "version": "1.12.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.20.7",
                  "status": "affected",
                  "version": "1.20.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2.6.8",
                  "status": "affected",
                  "version": "2.6.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the \u201cNetwork Interfaces\u201d functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to delete the configuration of physical network interfaces via a crafted HTTP request."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-183",
                  "description": "CWE-183 Permissive List of Allowed Inputs",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-30T11:44:33.547Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2025-24349",
        "datePublished": "2025-04-30T11:44:33.547Z",
        "dateReserved": "2025-01-20T15:09:10.534Z",
        "dateUpdated": "2025-04-30T14:30:33.942Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-24348 (GCVE-0-2025-24348)

    Vulnerability from nvd – Published: 2025-04-30 11:42 – Updated: 2025-04-30 14:34
    VLAI
    Summary
    A vulnerability in the “Network Interfaces” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to manipulate the wireless network configuration file via a crafted HTTP request.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1286 - Improper Validation of Syntactic Correctness of Input
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch Rexroth AG ctrlX OS - Device Admin Affected: 1.12.0 , ≤ 1.12.9 (custom)
    Affected: 1.20.0 , ≤ 1.20.7 (custom)
    Affected: 2.6.0 , ≤ 2.6.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24348",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T14:34:00.567080Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T14:34:17.218Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ctrlX OS - Device Admin",
              "vendor": "Bosch Rexroth AG",
              "versions": [
                {
                  "lessThanOrEqual": "1.12.9",
                  "status": "affected",
                  "version": "1.12.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.20.7",
                  "status": "affected",
                  "version": "1.20.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2.6.8",
                  "status": "affected",
                  "version": "2.6.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the \u201cNetwork Interfaces\u201d functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to manipulate the wireless network configuration file via a crafted HTTP request."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1286",
                  "description": "CWE-1286 Improper Validation of Syntactic Correctness of Input",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-30T11:42:54.314Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2025-24348",
        "datePublished": "2025-04-30T11:42:54.314Z",
        "dateReserved": "2025-01-20T15:09:10.534Z",
        "dateUpdated": "2025-04-30T14:34:17.218Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-24347 (GCVE-0-2025-24347)

    Vulnerability from nvd – Published: 2025-04-30 11:41 – Updated: 2025-04-30 14:35
    VLAI
    Summary
    A vulnerability in the “Network Interfaces” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to manipulate the network configuration file via a crafted HTTP request.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1286 - Improper Validation of Syntactic Correctness of Input
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch Rexroth AG ctrlX OS - Device Admin Affected: 1.12.0 , ≤ 1.12.9 (custom)
    Affected: 1.20.0 , ≤ 1.20.7 (custom)
    Affected: 2.6.0 , ≤ 2.6.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24347",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T14:35:11.535734Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T14:35:23.354Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ctrlX OS - Device Admin",
              "vendor": "Bosch Rexroth AG",
              "versions": [
                {
                  "lessThanOrEqual": "1.12.9",
                  "status": "affected",
                  "version": "1.12.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.20.7",
                  "status": "affected",
                  "version": "1.20.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2.6.8",
                  "status": "affected",
                  "version": "2.6.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the \u201cNetwork Interfaces\u201d functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to manipulate the network configuration file via a crafted HTTP request."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1286",
                  "description": "CWE-1286 Improper Validation of Syntactic Correctness of Input",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-30T11:41:39.707Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2025-24347",
        "datePublished": "2025-04-30T11:41:39.707Z",
        "dateReserved": "2025-01-20T15:09:10.533Z",
        "dateUpdated": "2025-04-30T14:35:23.354Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-24346 (GCVE-0-2025-24346)

    Vulnerability from nvd – Published: 2025-04-30 11:39 – Updated: 2026-02-26 18:27
    VLAI
    Summary
    A vulnerability in the “Proxy” functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to manipulate the “/etc/environment” file via a crafted HTTP request.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1286 - Improper Validation of Syntactic Correctness of Input
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch Rexroth AG ctrlX OS - Device Admin Affected: 1.12.0 , ≤ 1.12.9 (custom)
    Affected: 1.20.0 , ≤ 1.20.7 (custom)
    Affected: 2.6.0 , ≤ 2.6.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24346",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-01T03:55:11.477767Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T18:27:53.666Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ctrlX OS - Device Admin",
              "vendor": "Bosch Rexroth AG",
              "versions": [
                {
                  "lessThanOrEqual": "1.12.9",
                  "status": "affected",
                  "version": "1.12.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.20.7",
                  "status": "affected",
                  "version": "1.20.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2.6.8",
                  "status": "affected",
                  "version": "2.6.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the \u201cProxy\u201d functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to manipulate the \u201c/etc/environment\u201d file via a crafted HTTP request."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1286",
                  "description": "CWE-1286 Improper Validation of Syntactic Correctness of Input",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-30T11:39:42.899Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2025-24346",
        "datePublished": "2025-04-30T11:39:42.899Z",
        "dateReserved": "2025-01-20T15:09:10.532Z",
        "dateUpdated": "2026-02-26T18:27:53.666Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-24345 (GCVE-0-2025-24345)

    Vulnerability from nvd – Published: 2025-04-30 11:35 – Updated: 2025-04-30 14:44
    VLAI
    Summary
    A vulnerability in the “Hosts” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to manipulate the “hosts” file in an unintended manner via a crafted HTTP request.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1286 - Improper Validation of Syntactic Correctness of Input
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch Rexroth AG ctrlX OS - Device Admin Affected: 1.20.0 , ≤ 1.20.7 (custom)
    Affected: 2.6.0 , ≤ 2.6.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24345",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T14:43:57.951337Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T14:44:15.824Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ctrlX OS - Device Admin",
              "vendor": "Bosch Rexroth AG",
              "versions": [
                {
                  "lessThanOrEqual": "1.20.7",
                  "status": "affected",
                  "version": "1.20.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2.6.8",
                  "status": "affected",
                  "version": "2.6.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the \u201cHosts\u201d functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to manipulate the \u201chosts\u201d file in an unintended manner via a crafted HTTP request."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1286",
                  "description": "CWE-1286 Improper Validation of Syntactic Correctness of Input",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-30T11:35:44.628Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2025-24345",
        "datePublished": "2025-04-30T11:35:44.628Z",
        "dateReserved": "2025-01-20T15:09:10.532Z",
        "dateUpdated": "2025-04-30T14:44:15.824Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-24342 (GCVE-0-2025-24342)

    Vulnerability from nvd – Published: 2025-04-30 11:25 – Updated: 2025-04-30 15:08
    VLAI
    Summary
    A vulnerability in the login functionality of the web application of ctrlX OS allows a remote unauthenticated attacker to guess valid usernames via multiple crafted HTTP requests.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-204 - Observable Response Discrepancy
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch Rexroth AG ctrlX OS - Device Admin Affected: 1.12.0 , ≤ 1.12.9 (custom)
    Affected: 1.20.0 , ≤ 1.20.7 (custom)
    Affected: 2.6.0 , ≤ 2.6.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24342",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T15:07:26.811208Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T15:08:39.394Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ctrlX OS - Device Admin",
              "vendor": "Bosch Rexroth AG",
              "versions": [
                {
                  "lessThanOrEqual": "1.12.9",
                  "status": "affected",
                  "version": "1.12.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.20.7",
                  "status": "affected",
                  "version": "1.20.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2.6.8",
                  "status": "affected",
                  "version": "2.6.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the login functionality of the web application of ctrlX OS allows a remote unauthenticated attacker to guess valid usernames via multiple crafted HTTP requests."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-204",
                  "description": "CWE-204 Observable Response Discrepancy",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-30T11:25:35.615Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2025-24342",
        "datePublished": "2025-04-30T11:25:35.615Z",
        "dateReserved": "2025-01-20T15:09:10.532Z",
        "dateUpdated": "2025-04-30T15:08:39.394Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-24341 (GCVE-0-2025-24341)

    Vulnerability from nvd – Published: 2025-04-30 11:14 – Updated: 2025-04-30 15:11
    VLAI
    Summary
    A vulnerability in the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to induce a Denial-of-Service (DoS) condition on the device via multiple crafted HTTP requests. In the worst case, a full power cycle is needed to regain control of the device.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch Rexroth AG ctrlX OS - Device Admin Affected: 1.12.0 , ≤ 1.12.9 (custom)
    Affected: 1.20.0 , ≤ 1.20.7 (custom)
    Affected: 2.6.0 , ≤ 2.6.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24341",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T15:09:35.775128Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T15:11:57.073Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ctrlX OS - Device Admin",
              "vendor": "Bosch Rexroth AG",
              "versions": [
                {
                  "lessThanOrEqual": "1.12.9",
                  "status": "affected",
                  "version": "1.12.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.20.7",
                  "status": "affected",
                  "version": "1.20.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2.6.8",
                  "status": "affected",
                  "version": "2.6.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to induce a Denial-of-Service (DoS) condition on the device via multiple crafted HTTP requests. In the worst case, a full power cycle is needed to regain control of the device."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-30T11:14:47.046Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2025-24341",
        "datePublished": "2025-04-30T11:14:47.046Z",
        "dateReserved": "2025-01-20T15:09:10.532Z",
        "dateUpdated": "2025-04-30T15:11:57.073Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-24340 (GCVE-0-2025-24340)

    Vulnerability from nvd – Published: 2025-04-30 10:59 – Updated: 2025-04-30 15:44
    VLAI
    Summary
    A vulnerability in the users configuration file of ctrlX OS may allow a remote authenticated (low-privileged) attacker to recover the plaintext passwords of other users.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-916 - Use of Password Hash With Insufficient Computational Effort
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch Rexroth AG ctrlX OS - Device Admin Affected: 1.12.0 , ≤ 1.12.9 (custom)
    Affected: 1.20.0 , ≤ 1.20.7 (custom)
    Affected: 2.6.0 , ≤ 2.6.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24340",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T15:44:20.325238Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T15:44:38.122Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ctrlX OS - Device Admin",
              "vendor": "Bosch Rexroth AG",
              "versions": [
                {
                  "lessThanOrEqual": "1.12.9",
                  "status": "affected",
                  "version": "1.12.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.20.7",
                  "status": "affected",
                  "version": "1.20.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2.6.8",
                  "status": "affected",
                  "version": "2.6.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the users configuration file of ctrlX OS may allow a remote authenticated (low-privileged) attacker to recover the plaintext passwords of other users."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-916",
                  "description": "CWE-916 Use of Password Hash With Insufficient Computational Effort",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-30T10:59:06.633Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2025-24340",
        "datePublished": "2025-04-30T10:59:06.633Z",
        "dateReserved": "2025-01-20T15:09:10.532Z",
        "dateUpdated": "2025-04-30T15:44:38.122Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-24339 (GCVE-0-2025-24339)

    Vulnerability from nvd – Published: 2025-04-30 10:54 – Updated: 2025-04-30 15:46
    VLAI
    Summary
    A vulnerability in the web application of ctrlX OS allows a remote unauthenticated attacker to conduct various attacks against users of the vulnerable system, including web cache poisoning or Man-in-the-Middle (MitM), via a crafted HTTP request.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-644 - Improper Neutralization of HTTP Headers for Scripting Syntax
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch Rexroth AG ctrlX OS - Device Admin Affected: 1.12.0 , ≤ 1.12.9 (custom)
    Affected: 1.20.0 , ≤ 1.20.7 (custom)
    Affected: 2.6.0 , ≤ 2.6.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24339",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T15:45:21.095944Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T15:46:30.151Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ctrlX OS - Device Admin",
              "vendor": "Bosch Rexroth AG",
              "versions": [
                {
                  "lessThanOrEqual": "1.12.9",
                  "status": "affected",
                  "version": "1.12.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.20.7",
                  "status": "affected",
                  "version": "1.20.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2.6.8",
                  "status": "affected",
                  "version": "2.6.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the web application of ctrlX OS allows a remote unauthenticated attacker to conduct various attacks against users of the vulnerable system, including web cache poisoning or Man-in-the-Middle (MitM), via a crafted HTTP request."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-644",
                  "description": "CWE-644 Improper Neutralization of HTTP Headers for Scripting Syntax",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-30T11:01:15.158Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2025-24339",
        "datePublished": "2025-04-30T10:54:56.607Z",
        "dateReserved": "2025-01-20T15:09:10.532Z",
        "dateUpdated": "2025-04-30T15:46:30.151Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-27532 (GCVE-0-2025-27532)

    Vulnerability from cvelistv5 – Published: 2025-04-30 11:49 – Updated: 2025-04-30 14:08
    VLAI
    Summary
    A vulnerability in the “Backup & Restore” functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to access secret information via multiple crafted HTTP requests.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-312 - Cleartext Storage of Sensitive Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch Rexroth AG ctrlX OS - Device Admin Affected: 1.12.0 , ≤ 1.12.9 (custom)
    Affected: 1.20.0 , ≤ 1.20.7 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-27532",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T14:07:36.369370Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T14:08:31.240Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ctrlX OS - Device Admin",
              "vendor": "Bosch Rexroth AG",
              "versions": [
                {
                  "lessThanOrEqual": "1.12.9",
                  "status": "affected",
                  "version": "1.12.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.20.7",
                  "status": "affected",
                  "version": "1.20.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the \u201cBackup \u0026 Restore\u201d functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to access secret information via multiple crafted HTTP requests."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-312",
                  "description": "CWE-312 Cleartext Storage of Sensitive Information",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-30T11:49:02.687Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2025-27532",
        "datePublished": "2025-04-30T11:49:02.687Z",
        "dateReserved": "2025-02-28T12:47:36.247Z",
        "dateUpdated": "2025-04-30T14:08:31.240Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-24351 (GCVE-0-2025-24351)

    Vulnerability from cvelistv5 – Published: 2025-04-30 11:47 – Updated: 2026-02-26 18:27
    VLAI
    Summary
    A vulnerability in the “Remote Logging” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to execute arbitrary OS commands in the context of user “root” via a crafted HTTP request.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch Rexroth AG ctrlX OS - Device Admin Affected: 1.20.0 , ≤ 1.20.7 (custom)
    Affected: 2.6.0 , ≤ 2.6.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24351",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-01T03:55:12.845453Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T18:27:53.157Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ctrlX OS - Device Admin",
              "vendor": "Bosch Rexroth AG",
              "versions": [
                {
                  "lessThanOrEqual": "1.20.7",
                  "status": "affected",
                  "version": "1.20.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2.6.8",
                  "status": "affected",
                  "version": "2.6.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the \u201cRemote Logging\u201d functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to execute arbitrary OS commands in the context of user \u201croot\u201d via a crafted HTTP request."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-30T11:47:00.441Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2025-24351",
        "datePublished": "2025-04-30T11:47:00.441Z",
        "dateReserved": "2025-01-20T15:09:10.534Z",
        "dateUpdated": "2026-02-26T18:27:53.157Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-24350 (GCVE-0-2025-24350)

    Vulnerability from cvelistv5 – Published: 2025-04-30 11:45 – Updated: 2025-04-30 14:23
    VLAI
    Summary
    A vulnerability in the “Certificates and Keys” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to write arbitrary certificates in arbitrary file system paths via a crafted HTTP request.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-23 - Relative Path Traversal
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch Rexroth AG ctrlX OS - Device Admin Affected: 1.12.0 , ≤ 1.12.9 (custom)
    Affected: 1.20.0 , ≤ 1.20.7 (custom)
    Affected: 2.6.0 , ≤ 2.6.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24350",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T14:19:36.466932Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T14:23:43.476Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ctrlX OS - Device Admin",
              "vendor": "Bosch Rexroth AG",
              "versions": [
                {
                  "lessThanOrEqual": "1.12.9",
                  "status": "affected",
                  "version": "1.12.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.20.7",
                  "status": "affected",
                  "version": "1.20.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2.6.8",
                  "status": "affected",
                  "version": "2.6.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the \u201cCertificates and Keys\u201d functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to write arbitrary certificates in arbitrary file system paths via a crafted HTTP request."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "CWE-23 Relative Path Traversal",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-30T11:45:52.088Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2025-24350",
        "datePublished": "2025-04-30T11:45:52.088Z",
        "dateReserved": "2025-01-20T15:09:10.534Z",
        "dateUpdated": "2025-04-30T14:23:43.476Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-24349 (GCVE-0-2025-24349)

    Vulnerability from cvelistv5 – Published: 2025-04-30 11:44 – Updated: 2025-04-30 14:30
    VLAI
    Summary
    A vulnerability in the “Network Interfaces” functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to delete the configuration of physical network interfaces via a crafted HTTP request.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-183 - Permissive List of Allowed Inputs
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch Rexroth AG ctrlX OS - Device Admin Affected: 1.12.0 , ≤ 1.12.9 (custom)
    Affected: 1.20.0 , ≤ 1.20.7 (custom)
    Affected: 2.6.0 , ≤ 2.6.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24349",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T14:30:15.140761Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T14:30:33.942Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ctrlX OS - Device Admin",
              "vendor": "Bosch Rexroth AG",
              "versions": [
                {
                  "lessThanOrEqual": "1.12.9",
                  "status": "affected",
                  "version": "1.12.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.20.7",
                  "status": "affected",
                  "version": "1.20.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2.6.8",
                  "status": "affected",
                  "version": "2.6.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the \u201cNetwork Interfaces\u201d functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to delete the configuration of physical network interfaces via a crafted HTTP request."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-183",
                  "description": "CWE-183 Permissive List of Allowed Inputs",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-30T11:44:33.547Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2025-24349",
        "datePublished": "2025-04-30T11:44:33.547Z",
        "dateReserved": "2025-01-20T15:09:10.534Z",
        "dateUpdated": "2025-04-30T14:30:33.942Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-24348 (GCVE-0-2025-24348)

    Vulnerability from cvelistv5 – Published: 2025-04-30 11:42 – Updated: 2025-04-30 14:34
    VLAI
    Summary
    A vulnerability in the “Network Interfaces” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to manipulate the wireless network configuration file via a crafted HTTP request.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1286 - Improper Validation of Syntactic Correctness of Input
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch Rexroth AG ctrlX OS - Device Admin Affected: 1.12.0 , ≤ 1.12.9 (custom)
    Affected: 1.20.0 , ≤ 1.20.7 (custom)
    Affected: 2.6.0 , ≤ 2.6.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24348",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T14:34:00.567080Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T14:34:17.218Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ctrlX OS - Device Admin",
              "vendor": "Bosch Rexroth AG",
              "versions": [
                {
                  "lessThanOrEqual": "1.12.9",
                  "status": "affected",
                  "version": "1.12.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.20.7",
                  "status": "affected",
                  "version": "1.20.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2.6.8",
                  "status": "affected",
                  "version": "2.6.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the \u201cNetwork Interfaces\u201d functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to manipulate the wireless network configuration file via a crafted HTTP request."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1286",
                  "description": "CWE-1286 Improper Validation of Syntactic Correctness of Input",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-30T11:42:54.314Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2025-24348",
        "datePublished": "2025-04-30T11:42:54.314Z",
        "dateReserved": "2025-01-20T15:09:10.534Z",
        "dateUpdated": "2025-04-30T14:34:17.218Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-24347 (GCVE-0-2025-24347)

    Vulnerability from cvelistv5 – Published: 2025-04-30 11:41 – Updated: 2025-04-30 14:35
    VLAI
    Summary
    A vulnerability in the “Network Interfaces” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to manipulate the network configuration file via a crafted HTTP request.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1286 - Improper Validation of Syntactic Correctness of Input
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch Rexroth AG ctrlX OS - Device Admin Affected: 1.12.0 , ≤ 1.12.9 (custom)
    Affected: 1.20.0 , ≤ 1.20.7 (custom)
    Affected: 2.6.0 , ≤ 2.6.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24347",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T14:35:11.535734Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T14:35:23.354Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ctrlX OS - Device Admin",
              "vendor": "Bosch Rexroth AG",
              "versions": [
                {
                  "lessThanOrEqual": "1.12.9",
                  "status": "affected",
                  "version": "1.12.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.20.7",
                  "status": "affected",
                  "version": "1.20.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2.6.8",
                  "status": "affected",
                  "version": "2.6.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the \u201cNetwork Interfaces\u201d functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to manipulate the network configuration file via a crafted HTTP request."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1286",
                  "description": "CWE-1286 Improper Validation of Syntactic Correctness of Input",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-30T11:41:39.707Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2025-24347",
        "datePublished": "2025-04-30T11:41:39.707Z",
        "dateReserved": "2025-01-20T15:09:10.533Z",
        "dateUpdated": "2025-04-30T14:35:23.354Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-24346 (GCVE-0-2025-24346)

    Vulnerability from cvelistv5 – Published: 2025-04-30 11:39 – Updated: 2026-02-26 18:27
    VLAI
    Summary
    A vulnerability in the “Proxy” functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to manipulate the “/etc/environment” file via a crafted HTTP request.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1286 - Improper Validation of Syntactic Correctness of Input
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch Rexroth AG ctrlX OS - Device Admin Affected: 1.12.0 , ≤ 1.12.9 (custom)
    Affected: 1.20.0 , ≤ 1.20.7 (custom)
    Affected: 2.6.0 , ≤ 2.6.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24346",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-01T03:55:11.477767Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T18:27:53.666Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ctrlX OS - Device Admin",
              "vendor": "Bosch Rexroth AG",
              "versions": [
                {
                  "lessThanOrEqual": "1.12.9",
                  "status": "affected",
                  "version": "1.12.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.20.7",
                  "status": "affected",
                  "version": "1.20.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2.6.8",
                  "status": "affected",
                  "version": "2.6.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the \u201cProxy\u201d functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to manipulate the \u201c/etc/environment\u201d file via a crafted HTTP request."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1286",
                  "description": "CWE-1286 Improper Validation of Syntactic Correctness of Input",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-30T11:39:42.899Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2025-24346",
        "datePublished": "2025-04-30T11:39:42.899Z",
        "dateReserved": "2025-01-20T15:09:10.532Z",
        "dateUpdated": "2026-02-26T18:27:53.666Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-24345 (GCVE-0-2025-24345)

    Vulnerability from cvelistv5 – Published: 2025-04-30 11:35 – Updated: 2025-04-30 14:44
    VLAI
    Summary
    A vulnerability in the “Hosts” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to manipulate the “hosts” file in an unintended manner via a crafted HTTP request.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1286 - Improper Validation of Syntactic Correctness of Input
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch Rexroth AG ctrlX OS - Device Admin Affected: 1.20.0 , ≤ 1.20.7 (custom)
    Affected: 2.6.0 , ≤ 2.6.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24345",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T14:43:57.951337Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T14:44:15.824Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ctrlX OS - Device Admin",
              "vendor": "Bosch Rexroth AG",
              "versions": [
                {
                  "lessThanOrEqual": "1.20.7",
                  "status": "affected",
                  "version": "1.20.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2.6.8",
                  "status": "affected",
                  "version": "2.6.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the \u201cHosts\u201d functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to manipulate the \u201chosts\u201d file in an unintended manner via a crafted HTTP request."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1286",
                  "description": "CWE-1286 Improper Validation of Syntactic Correctness of Input",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-30T11:35:44.628Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2025-24345",
        "datePublished": "2025-04-30T11:35:44.628Z",
        "dateReserved": "2025-01-20T15:09:10.532Z",
        "dateUpdated": "2025-04-30T14:44:15.824Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-24342 (GCVE-0-2025-24342)

    Vulnerability from cvelistv5 – Published: 2025-04-30 11:25 – Updated: 2025-04-30 15:08
    VLAI
    Summary
    A vulnerability in the login functionality of the web application of ctrlX OS allows a remote unauthenticated attacker to guess valid usernames via multiple crafted HTTP requests.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-204 - Observable Response Discrepancy
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch Rexroth AG ctrlX OS - Device Admin Affected: 1.12.0 , ≤ 1.12.9 (custom)
    Affected: 1.20.0 , ≤ 1.20.7 (custom)
    Affected: 2.6.0 , ≤ 2.6.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24342",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T15:07:26.811208Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T15:08:39.394Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ctrlX OS - Device Admin",
              "vendor": "Bosch Rexroth AG",
              "versions": [
                {
                  "lessThanOrEqual": "1.12.9",
                  "status": "affected",
                  "version": "1.12.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.20.7",
                  "status": "affected",
                  "version": "1.20.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2.6.8",
                  "status": "affected",
                  "version": "2.6.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the login functionality of the web application of ctrlX OS allows a remote unauthenticated attacker to guess valid usernames via multiple crafted HTTP requests."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-204",
                  "description": "CWE-204 Observable Response Discrepancy",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-30T11:25:35.615Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2025-24342",
        "datePublished": "2025-04-30T11:25:35.615Z",
        "dateReserved": "2025-01-20T15:09:10.532Z",
        "dateUpdated": "2025-04-30T15:08:39.394Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-24341 (GCVE-0-2025-24341)

    Vulnerability from cvelistv5 – Published: 2025-04-30 11:14 – Updated: 2025-04-30 15:11
    VLAI
    Summary
    A vulnerability in the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to induce a Denial-of-Service (DoS) condition on the device via multiple crafted HTTP requests. In the worst case, a full power cycle is needed to regain control of the device.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch Rexroth AG ctrlX OS - Device Admin Affected: 1.12.0 , ≤ 1.12.9 (custom)
    Affected: 1.20.0 , ≤ 1.20.7 (custom)
    Affected: 2.6.0 , ≤ 2.6.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24341",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T15:09:35.775128Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T15:11:57.073Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ctrlX OS - Device Admin",
              "vendor": "Bosch Rexroth AG",
              "versions": [
                {
                  "lessThanOrEqual": "1.12.9",
                  "status": "affected",
                  "version": "1.12.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.20.7",
                  "status": "affected",
                  "version": "1.20.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2.6.8",
                  "status": "affected",
                  "version": "2.6.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to induce a Denial-of-Service (DoS) condition on the device via multiple crafted HTTP requests. In the worst case, a full power cycle is needed to regain control of the device."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-30T11:14:47.046Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2025-24341",
        "datePublished": "2025-04-30T11:14:47.046Z",
        "dateReserved": "2025-01-20T15:09:10.532Z",
        "dateUpdated": "2025-04-30T15:11:57.073Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-24340 (GCVE-0-2025-24340)

    Vulnerability from cvelistv5 – Published: 2025-04-30 10:59 – Updated: 2025-04-30 15:44
    VLAI
    Summary
    A vulnerability in the users configuration file of ctrlX OS may allow a remote authenticated (low-privileged) attacker to recover the plaintext passwords of other users.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-916 - Use of Password Hash With Insufficient Computational Effort
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch Rexroth AG ctrlX OS - Device Admin Affected: 1.12.0 , ≤ 1.12.9 (custom)
    Affected: 1.20.0 , ≤ 1.20.7 (custom)
    Affected: 2.6.0 , ≤ 2.6.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24340",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T15:44:20.325238Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T15:44:38.122Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ctrlX OS - Device Admin",
              "vendor": "Bosch Rexroth AG",
              "versions": [
                {
                  "lessThanOrEqual": "1.12.9",
                  "status": "affected",
                  "version": "1.12.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.20.7",
                  "status": "affected",
                  "version": "1.20.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2.6.8",
                  "status": "affected",
                  "version": "2.6.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the users configuration file of ctrlX OS may allow a remote authenticated (low-privileged) attacker to recover the plaintext passwords of other users."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-916",
                  "description": "CWE-916 Use of Password Hash With Insufficient Computational Effort",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-30T10:59:06.633Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2025-24340",
        "datePublished": "2025-04-30T10:59:06.633Z",
        "dateReserved": "2025-01-20T15:09:10.532Z",
        "dateUpdated": "2025-04-30T15:44:38.122Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-24339 (GCVE-0-2025-24339)

    Vulnerability from cvelistv5 – Published: 2025-04-30 10:54 – Updated: 2025-04-30 15:46
    VLAI
    Summary
    A vulnerability in the web application of ctrlX OS allows a remote unauthenticated attacker to conduct various attacks against users of the vulnerable system, including web cache poisoning or Man-in-the-Middle (MitM), via a crafted HTTP request.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-644 - Improper Neutralization of HTTP Headers for Scripting Syntax
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch Rexroth AG ctrlX OS - Device Admin Affected: 1.12.0 , ≤ 1.12.9 (custom)
    Affected: 1.20.0 , ≤ 1.20.7 (custom)
    Affected: 2.6.0 , ≤ 2.6.8 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24339",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-30T15:45:21.095944Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-30T15:46:30.151Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ctrlX OS - Device Admin",
              "vendor": "Bosch Rexroth AG",
              "versions": [
                {
                  "lessThanOrEqual": "1.12.9",
                  "status": "affected",
                  "version": "1.12.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.20.7",
                  "status": "affected",
                  "version": "1.20.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2.6.8",
                  "status": "affected",
                  "version": "2.6.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the web application of ctrlX OS allows a remote unauthenticated attacker to conduct various attacks against users of the vulnerable system, including web cache poisoning or Man-in-the-Middle (MitM), via a crafted HTTP request."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-644",
                  "description": "CWE-644 Improper Neutralization of HTTP Headers for Scripting Syntax",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-30T11:01:15.158Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2025-24339",
        "datePublished": "2025-04-30T10:54:56.607Z",
        "dateReserved": "2025-01-20T15:09:10.532Z",
        "dateUpdated": "2025-04-30T15:46:30.151Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }