Cyber Resilience

CVE-2025-24522

Critical

Published: 01 May 2025

Published
01 May 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0109 78.4th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24522 is a critical-severity Authentication Bypass by Primary Weakness (CWE-305) vulnerability in Revolutionpi (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, ranked in the top 21.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

KUNBUS Revolution Pi OS Bookworm 01/2025 contains a default configuration weakness in its Node-RED server that leaves authentication disabled. The affected component is the Node-RED instance bundled with the industrial OS image released in January 2025, exposing the server to network access without any credential requirement.

An unauthenticated remote attacker can connect directly to the Node-RED server and execute arbitrary commands on the underlying operating system, resulting in full compromise of confidentiality, integrity, and availability. The vulnerability is tracked as CWE-305 and carries a CVSS 4.0 score of 9.3 with a network attack vector and no required privileges or user interaction.

The CISA advisory ICSA-25-121-01 and the Revolution Pi package repository at packages.revolutionpi.de provide guidance on available mitigations and updated packages. The associated EPSS score remains low and unchanged at 0.0109, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

KUNBUS Revolution Pi OS Bookworm 01/2025 is vulnerable because authentication is not configured by default for the Node-RED server. This can give an unauthenticated remote attacker full access to the Node-RED server where they can run arbitrary commands on the…

more

underlying operating system.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Revolutionpi
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References