CVE-2025-26411
Published: 11 February 2025
Summary
CVE-2025-26411 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Sec Consult (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the unrestricted upload of malicious Python files by enforcing input validation at the Plugin Manager in the web interface.
Detects and eradicates malicious code such as uploaded Python files before they can execute and grant root access on Wattsense Bridge devices.
Ensures timely application of firmware updates to BSP >=6.1.0 that remediate the Plugin Manager upload vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unrestricted upload in a public-facing web interface (Plugin Manager) that allows authenticated attackers to upload and execute arbitrary Python code for remote root access, directly enabling T1190 (Exploit Public-Facing Application) and T1059.006 (Python).
NVD Description
An authenticated attacker is able to use the Plugin Manager of the web interface of the Wattsense Bridge devices to upload malicious Python files to the device. This enables an attacker to gain remote root access to the device. An…
more
attacker needs a valid user account on the Wattsense web interface to be able to conduct this attack. This issue is fixed in recent firmware versions BSP >= 6.1.0.
Deeper analysisAI
CVE-2025-26411 is an unrestricted upload vulnerability in the Plugin Manager of the web interface on Wattsense Bridge devices. It allows an authenticated attacker to upload malicious Python files to the device, enabling remote root access. The vulnerability is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). It affects Wattsense Bridge devices running firmware versions prior to BSP 6.1.0.
An attacker with a valid user account on the Wattsense web interface can exploit this issue over the network with low complexity and no user interaction required. By leveraging the Plugin Manager, the attacker uploads and executes arbitrary Python code, achieving full remote root privileges on the device. This grants complete control, including potential data exfiltration, modification of device configurations, or further lateral movement within connected networks.
Advisories from SEC Consult and Wattsense recommend updating to firmware version BSP 6.1.0 or later, where the issue is fixed. Release notes are available on the Wattsense support site, and full details are provided in the SEC Consult report and Full Disclosure mailing list posting.
Details
- CWE(s)