Cyber Resilience

CVE-2025-41646

Critical

Published: 06 June 2025

Published
06 June 2025
Modified
10 June 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3384 97.1th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-41646 is a critical-severity Incorrect Type Conversion or Cast (CWE-704) vulnerability in Kunbus Revpi Status. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2025-41646 is an authentication bypass vulnerability in a KUNBUS software package, stemming from incorrect type conversion as classified under CWE-704. The flaw carries a CVSS 3.1 base score of 9.8 and permits remote attackers to circumvent authentication controls, resulting in full compromise of the affected device.

An unauthenticated remote attacker can exploit the issue over the network with low attack complexity and no user interaction required. Successful exploitation grants complete control of the device, including the ability to read, modify, or disrupt its data and functionality.

Vendor advisories published by KUNBUS provide further details on the affected package and recommended actions; they are available at the referenced PSIRT JSON and product security pages. The associated EPSS score has remained at 0.3384 since disclosure with no material increase observed.

EU & UK References

Vulnerability details

An unauthorized remote attacker can bypass the authentication of the affected software package by misusing an incorrect type conversion. This leads to full compromise of the device

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

kunbus
revpi status
≤ 2.4.6

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References