VDE-2025-068
Vulnerability from csaf_endresshauserag - Published: 2025-09-02 10:00 - Updated: 2026-02-20 09:00Summary
Endress+Hauser: Proline 10 Maintenance credentials may be exposed under certain conditions
Severity
Medium
Notes
Summary: A privilege escalation vulnerability has been identified in Endress+Hauser's Proline 10 devices. This flaw allows an authenticated user with Operator-level access to elevate their privileges and gain Maintenance-level access, potentially enabling unauthorized configuration changes.
Endress+Hauser has released a security update addressing this issue.
Impact: Successful exploitation of this vulnerability may allow an attacker to perform vertical privilege escalation, gaining unauthorized access to Maintenance-level functions. As a result, the attacker could:
• Modify all Maintenance parameters
• Change device settings
• Initiate a device reset, potentially causing operational downtime
• Restore the device to its factory default settings
• Reconfigure non-critical diagnostic parameters
• Disable Bluetooth communication
• Alter the 4–20 mA analog output range
Mitigation: If an immediate firmware update is not feasible, it is recommended to disable the device's Bluetooth communication when not actively in use. This significantly reduces the risk of unauthorized access by eliminating the key vector through which the vulnerability could be exploited.
Remediation: Endress+Hauser has released updated firmware versions for the affected devices that resolve this vulnerability. Customers are encouraged to update their devices to the latest firmware version as soon as possible.
For assistance with the update process, please contact your local Endress+Hauser service center.
General Recommendation: Endress+Hauser recommends using the solutions only in a secure environment and to allow access to their components only to authorized persons.
A low-privileged attacker in bluetooth range may be able to access the password of a higher-privilege user (Maintenance) by viewing the device’s event log. This vulnerability could allow the Operator to authenticate as the Maintenance user, thereby gaining unauthorized access to sensitive configuration settings and the ability to modify device parameters.
7.4 (High)
Mitigation
If an immediate firmware update is not feasible, it is recommended to disable the device's Bluetooth communication when not actively in use. This significantly reduces the risk of unauthorized access by eliminating the key vector through which the vulnerability could be exploited.
Vendor Fix
Endress+Hauser has released a security update addressing this issue.
References
| URL | Category | |
|---|---|---|
Acknowledgments
CERT@VDE
certvde.com
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
}
],
"aggregate_severity": {
"namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
"text": "medium"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "en-US",
"notes": [
{
"category": "summary",
"text": "A privilege escalation vulnerability has been identified in Endress+Hauser\u0027s Proline 10 devices. This flaw allows an authenticated user with Operator-level access to elevate their privileges and gain Maintenance-level access, potentially enabling unauthorized configuration changes.\n\nEndress+Hauser has released a security update addressing this issue.\n",
"title": "Summary"
},
{
"category": "description",
"text": "Successful exploitation of this vulnerability may allow an attacker to perform vertical privilege escalation, gaining unauthorized access to Maintenance-level functions. As a result, the attacker could: \n\u2022\tModify all Maintenance parameters \n\u2022\tChange device settings \n\u2022\tInitiate a device reset, potentially causing operational downtime \n\u2022\tRestore the device to its factory default settings \n\u2022\tReconfigure non-critical diagnostic parameters \n\u2022\tDisable Bluetooth communication \n\u2022\tAlter the 4\u201320 mA analog output range \n",
"title": "Impact"
},
{
"category": "description",
"text": "If an immediate firmware update is not feasible, it is recommended to disable the device\u0027s Bluetooth communication when not actively in use. This significantly reduces the risk of unauthorized access by eliminating the key vector through which the vulnerability could be exploited.",
"title": "Mitigation"
},
{
"category": "description",
"text": "Endress+Hauser has released updated firmware versions for the affected devices that resolve this vulnerability. Customers are encouraged to update their devices to the latest firmware version as soon as possible.\nFor assistance with the update process, please contact your local Endress+Hauser service center.\n",
"title": "Remediation"
},
{
"category": "general",
"text": "Endress+Hauser recommends using the solutions only in a secure environment and to allow access to their components only to authorized persons.",
"title": "General Recommendation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@endress.com",
"name": "Endress+Hauser AG",
"namespace": "https://www.endress.com"
},
"references": [
{
"category": "external",
"summary": "Endress+Hauser ",
"url": "https://www.endress.com"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for Endress+Hauser",
"url": "https://certvde.com/en/advisories/vendor/endress+hauser"
},
{
"category": "self",
"summary": "VDE-2025-068: Endress+Hauser: Proline 10 Maintenance credentials may be exposed under certain conditions - HTML",
"url": "https://certvde.com/en/advisories/VDE-2025-068"
},
{
"category": "self",
"summary": "VDE-2025-068: Endress+Hauser: Proline 10 Maintenance credentials may be exposed under certain conditions - CSAF",
"url": "https://endress-hauser.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-068.json"
}
],
"title": "Endress+Hauser: Proline 10 Maintenance credentials may be exposed under certain conditions",
"tracking": {
"aliases": [
"VDE-2025-068"
],
"current_release_date": "2026-02-20T09:00:00.000Z",
"generator": {
"date": "2026-02-20T09:49:04.673Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.43"
}
},
"id": "VDE-2025-068",
"initial_release_date": "2025-09-02T10:00:00.000Z",
"revision_history": [
{
"date": "2025-09-02T10:00:00.000Z",
"number": "1.0.0",
"summary": "Initial version"
},
{
"date": "2026-02-20T09:00:00.000Z",
"number": "1.0.1",
"summary": "fixed typo in alias"
}
],
"status": "final",
"version": "1.0.1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "architecture",
"name": "HART ",
"product": {
"name": "Endress+Hauser Promag 10 with HART protocol",
"product_id": "CSAFPID-11001"
}
},
{
"category": "architecture",
"name": "Modbus",
"product": {
"name": "Endress+Hauser Promag 10 with Modbus protocol",
"product_id": "CSAFPID-11002"
}
},
{
"category": "architecture",
"name": "IO-LINK",
"product": {
"name": "Endress+Hauser Promag 10 with IO-Link protocol",
"product_id": "CSAFPID-11003"
}
}
],
"category": "product_name",
"name": "Promag 10"
},
{
"branches": [
{
"category": "architecture",
"name": "HART",
"product": {
"name": "Endress+Hauser Promass 10 with HART protocol",
"product_id": "CSAFPID-11004"
}
},
{
"category": "architecture",
"name": "Modbus",
"product": {
"name": "Endress+Hauser Promass 10 with Modbus protocol",
"product_id": "CSAFPID-11005"
}
},
{
"category": "architecture",
"name": "IO-Link",
"product": {
"name": "Endress+Hauser Promass 10 with IO-Link protocol",
"product_id": "CSAFPID-11006"
}
}
],
"category": "product_name",
"name": "Promass 10"
}
],
"category": "product_family",
"name": "Proline 10"
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c01.00.06",
"product": {
"name": "Firmware \u003c01.00.06",
"product_id": "CSAFPID-21001"
}
},
{
"category": "product_version",
"name": "01.00.06",
"product": {
"name": "Firmware 01.00.06",
"product_id": "CSAFPID-22001"
}
},
{
"category": "product_version_range",
"name": "\u003c01.00.02",
"product": {
"name": "Firmware \u003c01.00.02",
"product_id": "CSAFPID-21002"
}
},
{
"category": "product_version",
"name": "01.00.02",
"product": {
"name": "Firmware 01.00.02",
"product_id": "CSAFPID-22002"
}
}
],
"category": "product_family",
"name": "Firmware"
}
],
"category": "vendor",
"name": "Endress+Hauser"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
],
"summary": "Affected Products."
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"summary": "Fixed Products."
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c01.00.06 installed on Promag 10 with HART",
"product_id": "CSAFPID-31001"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c01.00.06 installed on Promag 10 with Modbus",
"product_id": "CSAFPID-31002"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": " Firmware \u003c01.00.02 installed on Promag 10 with IO-Link",
"product_id": "CSAFPID-31003"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c01.00.06 installed on Promass 10 with HART",
"product_id": "CSAFPID-31004"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11004"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c01.00.06 installed on Promass 10 with Modbus",
"product_id": "CSAFPID-31005"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11005"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c01.00.02 installed on Promass 10 with IO-Link",
"product_id": "CSAFPID-31006"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11006"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 01.00.06 installed on Promag 10 with HART",
"product_id": "CSAFPID-32001"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 01.00.06 installed on Promag 10 with Modbus",
"product_id": "CSAFPID-32002"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": " Firmware 01.00.02 installed on Promag 10 with IO-Link",
"product_id": "CSAFPID-32003"
},
"product_reference": "CSAFPID-22002",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 01.00.06 installed on Promass 10 with HART",
"product_id": "CSAFPID-32004"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11004"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 01.00.06 installed on Promass 10 with Modbus",
"product_id": "CSAFPID-32005"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11005"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 01.00.02 installed on Promass 10 with IO-Link",
"product_id": "CSAFPID-32006"
},
"product_reference": "CSAFPID-22002",
"relates_to_product_reference": "CSAFPID-11006"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-41690",
"cwe": {
"id": "CWE-532",
"name": "Insertion of Sensitive Information into Log File"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "A low-privileged attacker in bluetooth range may be able to access the password of a higher-privilege user (Maintenance) by viewing the device\u2019s event log. This vulnerability could allow the Operator to authenticate as the Maintenance user, thereby gaining unauthorized access to sensitive configuration settings and the ability to modify device parameters.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "If an immediate firmware update is not feasible, it is recommended to disable the device\u0027s Bluetooth communication when not actively in use. This significantly reduces the risk of unauthorized access by eliminating the key vector through which the vulnerability could be exploited.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Endress+Hauser has released a security update addressing this issue.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.4,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.4,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2025-41690"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…