VDE-2025-011
Vulnerability from csaf_pepperlfuchsse - Published: 2025-05-26 10:00 - Updated: 2025-08-27 10:00Summary
PEPPERL+FUCHS: Profinet Gateway LB8122A.1.EL – Device is affected by XSS vulnerability and information disclosure
Notes
Summary: A stored cross-site scripting vulnerability has been discovered in the profinet gateway LB8122A.1.EL. An attacker can write an HTML tag with up to 32 characters in the message field of a HART transmitter. The HTML tag is interpreted as HTML when the HART information is displayed in a webbrowser. If the HTML tag contains a link to a manipulated page, a user can be tricked into accessing this page.
Furthermore, an attacker can access information about running processes via the SNMP protocol. Sending such SNMP read commands can also trigger a reboot.
Impact: An unauthenticated attacker can use a stored HTML link in a HART transmitter to redirect a user to a manipulated website. From there, he can manipulate the user's device or environment.
An attacker can collect information via SNMP to launch attacks. Sending the read commands can trigger a reboot of the device.
Remediation: Please install the updated firmware V1.3.13.
Mitigation: The web server is switched off by default and can only be switched on via the gateway display. It is then active for 5 minutes and switches itself off again.
- Ensure that only authorized personnel have access to the gateway.
- Only use the gateway in an isolated network environment.
Due to improper neutralization of input during web page generation (XSS) an unauthenticated remote attacker can inject HTML code into the Web-UI in the affected device.
6.1 (Medium)
Vendor Fix
Please install the updated firmware V1.3.13.
An unauthenticated remote attacker can access information about running processes via the SNMP protocol. The amount of returned data can trigger a reboot by the watchdog.
8.2 (High)
Vendor Fix
Please install the updated firmware V1.3.13.
An unauthenticated remote attacker can access a URL which causes the device to reboot.
7.5 (High)
Vendor Fix
Please install the updated firmware V1.3.13.
References
Acknowledgments
CERT@VDE
certvde.com
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "A stored cross-site scripting vulnerability has been discovered in the profinet gateway LB8122A.1.EL. An attacker can write an HTML tag with up to 32 characters in the message field of a HART transmitter. The HTML tag is interpreted as HTML when the HART information is displayed in a webbrowser. If the HTML tag contains a link to a manipulated page, a user can be tricked into accessing this page.\nFurthermore, an attacker can access information about running processes via the SNMP protocol. Sending such SNMP read commands can also trigger a reboot.",
"title": "Summary"
},
{
"category": "description",
"text": "An unauthenticated attacker can use a stored HTML link in a HART transmitter to redirect a user to a manipulated website. From there, he can manipulate the user\u0027s device or environment.\nAn attacker can collect information via SNMP to launch attacks. Sending the read commands can trigger a reboot of the device.",
"title": "Impact"
},
{
"category": "description",
"text": "Please install the updated firmware V1.3.13.",
"title": "Remediation"
},
{
"category": "description",
"text": "The web server is switched off by default and can only be switched on via the gateway display. It is then active for 5 minutes and switches itself off again.\n - Ensure that only authorized personnel have access to the gateway.\n - Only use the gateway in an isolated network environment.",
"title": "Mitigation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "cert@pepperl-fuchs.com",
"name": "Pepperl+Fuchs SE",
"namespace": "https://www.pepperl-fuchs.com"
},
"references": [
{
"category": "external",
"summary": "Pepperl+Fuchs PSIRT",
"url": "https://pepperl-fuchs.com/cybersecurity"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for Pepperl+Fuchs",
"url": "https://certvde.com/en/advisories/vendor/Pepperl+Fuchs"
},
{
"category": "self",
"summary": "VDE-2025-011: PEPPERL+FUCHS: Profinet Gateway LB8122A.1.EL \u2013 Device is affected by XSS vulnerability and information disclosure - HTML",
"url": "https://certvde.com/en/advisories/VDE-2025-011"
},
{
"category": "self",
"summary": "VDE-2025-011: PEPPERL+FUCHS: Profinet Gateway LB8122A.1.EL \u2013 Device is affected by XSS vulnerability and information disclosure - CSAF",
"url": "https://pepperl-fuchs.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-011.json"
}
],
"title": "PEPPERL+FUCHS: Profinet Gateway LB8122A.1.EL \u2013 Device is affected by XSS vulnerability and information disclosure",
"tracking": {
"aliases": [
"VDE-2025-011"
],
"current_release_date": "2025-08-27T10:00:00.000Z",
"generator": {
"date": "2025-08-28T07:36:59.056Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.34"
}
},
"id": "VDE-2025-011",
"initial_release_date": "2025-05-26T10:00:00.000Z",
"revision_history": [
{
"date": "2025-06-05T13:28:12.000Z",
"number": "1.0.0",
"summary": "Initial revision."
},
{
"date": "2025-08-27T10:00:00.000Z",
"number": "1.1.0",
"summary": "Update: CWE from CVE-2025-41654, Revision History"
}
],
"status": "final",
"version": "1.1.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "LB8122A.1.EL",
"product": {
"name": "Profinet Gateway LB8122A.1.EL",
"product_id": "CSAFPID-11001",
"product_identification_helper": {
"model_numbers": [
"70120382",
"286519"
]
}
}
},
{
"category": "product_name",
"name": "FB8122A.1.EL",
"product": {
"name": "Profinet Gateway FB8122A.1.EL",
"product_id": "CSAFPID-11002",
"product_identification_helper": {
"model_numbers": [
"70138965",
"286522"
]
}
}
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cV1.3.13",
"product": {
"name": "Firmware \u003cV1.3.13",
"product_id": "CSAFPID-21001"
}
},
{
"category": "product_version",
"name": "V1.3.13",
"product": {
"name": "Firmware V1.3.13",
"product_id": "CSAFPID-22001"
}
}
],
"category": "product_family",
"name": "Firmware"
}
],
"category": "vendor",
"name": "Pepperl+Fuchs"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-31001",
"CSAFPID-31002"
],
"summary": "Affected products."
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-32001",
"CSAFPID-32002"
],
"summary": "Fixed products."
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003cV1.3.13 installed on Profinet Gateway LB8122A.1.EL",
"product_id": "CSAFPID-31001"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware V1.3.13 installed on Profinet Gateway LB8122A.1.EL",
"product_id": "CSAFPID-32001"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003cV1.3.13 installed on Profinet Gateway FB8122A.1.EL",
"product_id": "CSAFPID-31002"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware V1.3.13 installed on Profinet Gateway FB8122A.1.EL",
"product_id": "CSAFPID-32002"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11002"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-1985",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Due to improper neutralization of input during web page generation (XSS) an unauthenticated remote attacker can inject HTML code into the Web-UI in the affected device. \n",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Please install the updated firmware V1.3.13.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalScore": 6.1,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"temporalScore": 6.1,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002"
]
}
],
"title": "CVE-2025-1985"
},
{
"cve": "CVE-2025-41654",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An unauthenticated remote attacker can access information about running processes via the SNMP protocol. The amount of returned data can trigger a reboot by the watchdog. ",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Please install the updated firmware V1.3.13.",
"product_ids": [
"CSAFPID-32001",
"CSAFPID-32002"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"environmentalScore": 8.2,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 8.2,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002"
]
}
],
"title": "CVE-2025-41654"
},
{
"cve": "CVE-2025-41655",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An unauthenticated remote attacker can access a URL which causes the device to reboot.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Please install the updated firmware V1.3.13.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002"
]
}
],
"title": "CVE-2025-41655"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…