Cyber Resilience

CVE-2025-26411

High

Published: 11 February 2025

Published
11 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0027 50.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26411 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Sec Consult (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-26411 is an unrestricted upload vulnerability in the Plugin Manager of the web interface on Wattsense Bridge devices. It allows an authenticated attacker to upload malicious Python files to the device, enabling remote root access. The vulnerability is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). It affects Wattsense Bridge devices running firmware versions prior to BSP 6.1.0.

An attacker with a valid user account on the Wattsense web interface can exploit this issue over the network with low complexity and no user interaction required. By leveraging the Plugin Manager, the attacker uploads and executes arbitrary Python code, achieving full remote root privileges on the device. This grants complete control, including potential data exfiltration, modification of device configurations, or further lateral movement within connected networks.

Advisories from SEC Consult and Wattsense recommend updating to firmware version BSP 6.1.0 or later, where the issue is fixed. Release notes are available on the Wattsense support site, and full details are provided in the SEC Consult report and Full Disclosure mailing list posting.

EU & UK References

Vulnerability details

An authenticated attacker is able to use the Plugin Manager of the web interface of the Wattsense Bridge devices to upload malicious Python files to the device. This enables an attacker to gain remote root access to the device. An…

more

attacker needs a valid user account on the Wattsense web interface to be able to conduct this attack. This issue is fixed in recent firmware versions BSP >= 6.1.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

The vulnerability is an unrestricted upload in a public-facing web interface (Plugin Manager) that allows authenticated attackers to upload and execute arbitrary Python code for remote root access, directly enabling T1190 (Exploit Public-Facing Application) and T1059.006 (Python).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-56975Shared CWE-434
CVE-2019-25580Shared CWE-434
CVE-2026-27636Shared CWE-434
CVE-2026-4809Shared CWE-434
CVE-2020-37090Shared CWE-434
CVE-2026-24729Shared CWE-434
CVE-2026-28289Shared CWE-434
CVE-2026-1730Shared CWE-434
CVE-2023-50897Shared CWE-434
CVE-2025-70457Shared CWE-434

Affected Assets

Sec Consult
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the unrestricted upload of malicious Python files by enforcing input validation at the Plugin Manager in the web interface.

preventdetect

Detects and eradicates malicious code such as uploaded Python files before they can execute and grant root access on Wattsense Bridge devices.

prevent

Ensures timely application of firmware updates to BSP >=6.1.0 that remediate the Plugin Manager upload vulnerability.

References