CVE-2025-24522
Published: 01 May 2025
Summary
CVE-2025-24522 is a critical-severity Authentication Bypass by Primary Weakness (CWE-305) vulnerability in Revolutionpi (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, ranked in the top 21.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
KUNBUS Revolution Pi OS Bookworm 01/2025 contains a default configuration weakness in its Node-RED server that leaves authentication disabled. The affected component is the Node-RED instance bundled with the industrial OS image released in January 2025, exposing the server to network access without any credential requirement.
An unauthenticated remote attacker can connect directly to the Node-RED server and execute arbitrary commands on the underlying operating system, resulting in full compromise of confidentiality, integrity, and availability. The vulnerability is tracked as CWE-305 and carries a CVSS 4.0 score of 9.3 with a network attack vector and no required privileges or user interaction.
The CISA advisory ICSA-25-121-01 and the Revolution Pi package repository at packages.revolutionpi.de provide guidance on available mitigations and updated packages. The associated EPSS score remains low and unchanged at 0.0109, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-13263
Vulnerability details
KUNBUS Revolution Pi OS Bookworm 01/2025 is vulnerable because authentication is not configured by default for the Node-RED server. This can give an unauthenticated remote attacker full access to the Node-RED server where they can run arbitrary commands on the…
more
underlying operating system.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.