VDE-2025-105
Vulnerability from csaf_endresshauserag - Published: 2025-12-08 09:00 - Updated: 2025-12-08 09:00Summary
Endress+Hauser: Multiple products affected by Wibu-Systems CodeMeter Vulnerability
Severity
Critical
Notes
Summary: A vulnerability in Wibu-Systems CodeMeter (up to version 7.60b) affects multiple Endress+Hauser products. This flaw can lead to a heap buffer overflow, which may allow remote code execution under certain conditions.
Impact: An attacker exploiting the vulnerability in Wibu CodeMeter Runtime when running in server mode could gain full control of the affected server via network access without any user interaction. In non-networked workstation mode, exploiting the same vulnerability could result in privilege escalation, granting the attacker full administrative access to the workstation.
Mitigation: If possible, configure CodeMeter to run in client-only mode. If server mode is required, restrict access to authorized clients by implementing an access control list.
For Proline Promag 800 OPC UA Connectivity, CodeMeter operates as a server only during license activation. Installation and license activation are managed by Endress+Hauser. If a customer performs manual license activation, it is strongly recommended to limit network access to necessary clients only by using firewalls or equivalent security measures.
Remediation: Endress+Hauser has released updated firmware versions that address this vulnerability. The only exception is Proline Promag 800 OPC UA Connectivity, with the update planned for Q3 2026. Customers are strongly advised to upgrade to the latest fixed version. For assistance, please contact your local Endress+Hauser service center.
| Product | Fixed Version |
|----------------------------------|---------------|
| DeviceCare | 1.07.05 |
| FDM installations | 1.6.13.10138 |
| FieldCare | 2.16.00 |
| SupplyCare Enterprise | 3.14 |
General Recommendation: Endress+Hauser recommends operating these solutions in a secure environment and restricting access to components to authorized personnel only.
A heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to version 7.60b allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system.
9.8 (Critical)
Mitigation
If possible, configure CodeMeter to run in client-only mode. If server mode is required, restrict access to authorized clients by implementing an access control list.
For Proline Promag 800 OPC UA Connectivity, CodeMeter operates as a server only during license activation. Installation and license activation are managed by Endress+Hauser. If a customer performs manual license activation, it is strongly recommended to limit network access to necessary clients only by using firewalls or equivalent security measures.
Vendor Fix
Endress+Hauser has released updated firmware versions that address this vulnerability. Customers are strongly advised to upgrade to the latest fixed version. For assistance, please contact your local Endress+Hauser service center.
References
| URL | Category | |
|---|---|---|
Acknowledgments
CERT@VDE
certvde.com
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
}
],
"aggregate_severity": {
"namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "en-US",
"notes": [
{
"category": "summary",
"text": "A vulnerability in Wibu-Systems CodeMeter (up to version 7.60b) affects multiple Endress+Hauser products. This flaw can lead to a heap buffer overflow, which may allow remote code execution under certain conditions.",
"title": "Summary"
},
{
"category": "description",
"text": "An attacker exploiting the vulnerability in Wibu CodeMeter Runtime when running in server mode could gain full control of the affected server via network access without any user interaction. In non-networked workstation mode, exploiting the same vulnerability could result in privilege escalation, granting the attacker full administrative access to the workstation. ",
"title": "Impact"
},
{
"category": "description",
"text": "If possible, configure CodeMeter to run in client-only mode. If server mode is required, restrict access to authorized clients by implementing an access control list. \nFor Proline Promag 800 OPC UA Connectivity, CodeMeter operates as a server only during license activation. Installation and license activation are managed by Endress+Hauser. If a customer performs manual license activation, it is strongly recommended to limit network access to necessary clients only by using firewalls or equivalent security measures. ",
"title": "Mitigation"
},
{
"category": "description",
"text": "Endress+Hauser has released updated firmware versions that address this vulnerability. The only exception is Proline Promag 800 OPC UA Connectivity, with the update planned for Q3 2026. Customers are strongly advised to upgrade to the latest fixed version. For assistance, please contact your local Endress+Hauser service center.\n\n| Product | Fixed Version |\n|----------------------------------|---------------|\n| DeviceCare | 1.07.05 |\n| FDM installations | 1.6.13.10138 |\n| FieldCare | 2.16.00 |\n| SupplyCare Enterprise | 3.14 |",
"title": "Remediation"
},
{
"category": "general",
"text": "Endress+Hauser recommends operating these solutions in a secure environment and restricting access to components to authorized personnel only. ",
"title": "General Recommendation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@endress.com",
"name": "Endress+Hauser AG",
"namespace": "https://www.endress.com"
},
"references": [
{
"category": "external",
"summary": "Endress+Hauser",
"url": "https://www.endress.com"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for Endress+Hauser",
"url": "https://certvde.com/en/advisories/vendor/endress+hauser"
},
{
"category": "self",
"summary": "VDE-2025-105: Endress+Hauser: Multiple products affected by Wibu-Systems CodeMeter Vulnerability - HTML",
"url": "https://certvde.com/en/advisories/VDE-2025-105"
},
{
"category": "self",
"summary": "VDE-2025-105: Endress+Hauser: Multiple products affected by Wibu-Systems CodeMeter Vulnerability - CSAF",
"url": "https://endress-hauser.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-105.json"
}
],
"title": "Endress+Hauser: Multiple products affected by Wibu-Systems CodeMeter Vulnerability",
"tracking": {
"aliases": [
"VDE-2025-105"
],
"current_release_date": "2025-12-08T09:00:00.000Z",
"generator": {
"date": "2025-12-02T12:54:30.507Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.40"
}
},
"id": "VDE-2025-105",
"initial_release_date": "2025-12-08T09:00:00.000Z",
"revision_history": [
{
"date": "2025-12-08T09:00:00.000Z",
"number": "1.0.0",
"summary": "Initial version"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c1.07.05",
"product": {
"name": "DeviceCare \u003c1.07.05",
"product_id": "CSAFPID-51001"
}
},
{
"category": "product_version",
"name": "1.07.05",
"product": {
"name": "DeviceCare 1.07.05",
"product_id": "CSAFPID-52001"
}
}
],
"category": "product_name",
"name": "DeviceCare "
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c1.6.13.10138",
"product": {
"name": "FDM installations \u003c1.6.13.10138",
"product_id": "CSAFPID-51002"
}
},
{
"category": "product_version",
"name": "1.6.13.10138",
"product": {
"name": "FDM installations 1.6.13.10138",
"product_id": "CSAFPID-52002"
}
}
],
"category": "product_name",
"name": "FDM installations "
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c2.16.00",
"product": {
"name": "FieldCare \u003c2.16.00",
"product_id": "CSAFPID-51003"
}
},
{
"category": "product_version",
"name": "2.16.00",
"product": {
"name": "FieldCare 2.16.00",
"product_id": "CSAFPID-52003"
}
}
],
"category": "product_name",
"name": "FieldCare "
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c3.14",
"product": {
"name": "SupplyCare Enterprise \u003c3.14",
"product_id": "CSAFPID-51004"
}
},
{
"category": "product_version",
"name": "3.14 ",
"product": {
"name": "SupplyCare Enterprise 3.14",
"product_id": "CSAFPID-52004"
}
}
],
"category": "product_name",
"name": "SupplyCare Enterprise "
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Proline Promag 800 OPC UA Connectivity vers:all/* ",
"product_id": "CSAFPID-51005"
}
}
],
"category": "product_name",
"name": "Proline Promag 800 OPC UA Connectivity "
}
],
"category": "product_family",
"name": "Software"
}
],
"category": "vendor",
"name": "Endress+Hauser"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005"
],
"summary": "Affected products."
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-52001",
"CSAFPID-52002",
"CSAFPID-52003",
"CSAFPID-52004"
],
"summary": "Fixed products."
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-3935",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "description",
"text": "A heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to version 7.60b allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system. ",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-52001",
"CSAFPID-52002",
"CSAFPID-52003",
"CSAFPID-52004"
],
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "If possible, configure CodeMeter to run in client-only mode. If server mode is required, restrict access to authorized clients by implementing an access control list. \nFor Proline Promag 800 OPC UA Connectivity, CodeMeter operates as a server only during license activation. Installation and license activation are managed by Endress+Hauser. If a customer performs manual license activation, it is strongly recommended to limit network access to necessary clients only by using firewalls or equivalent security measures. ",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Endress+Hauser has released updated firmware versions that address this vulnerability. Customers are strongly advised to upgrade to the latest fixed version. For assistance, please contact your local Endress+Hauser service center. ",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005"
]
}
],
"title": "Wibu: Buffer Overflow in CodeMeter Runtime"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…