Cyber Resilience

CVE-2025-41709

CriticalRCE

Published: 10 March 2026

Published
10 March 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0215 79.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-41709 is a critical-severity OS Command Injection (CWE-78) vulnerability in Certvde (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-41709 is a command injection vulnerability (CWE-78) that affects certain devices supporting Modbus-TCP or Modbus-RTU protocols from vendors Janitza and Weidmueller, as documented in CERT VDE advisories VDE-2025-079 and VDE-2025-096. Published on 2026-03-10, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to network accessibility, low attack complexity, and lack of prerequisites.

An unauthenticated remote attacker can exploit the vulnerability by sending specially crafted Modbus-TCP or Modbus-RTU messages over the network. Successful exploitation enables command injection, granting the attacker read and write access on the affected device and potentially leading to complete compromise with high impacts on confidentiality, integrity, and availability.

Mitigation guidance is provided in the referenced advisories, including https://certvde.com/en/advisories/VDE-2025-079/ and its CSAF document for Janitza products, as well as https://certvde.com/en/advisories/VDE-2025-096/ and its CSAF document for Weidmueller products. Security practitioners should consult these sources for vendor-specific patches, workarounds, or configuration recommendations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An unauthenticated remote attacker can perform a command injection via Modbus-TCP or Modbus-RTU to gain read and write access on the affected device.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote command injection via crafted Modbus-TCP/RTU messages over the network directly enables exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-43984Shared CWE-78
CVE-2026-34176Shared CWE-78
CVE-2026-47294Shared CWE-78
CVE-2020-37125Shared CWE-78
CVE-2024-49601Shared CWE-78
CVE-2025-62354Shared CWE-78
CVE-2022-50596Shared CWE-78
CVE-2025-56819Shared CWE-78
CVE-2025-48703Shared CWE-78
CVE-2026-25111Shared CWE-78

Affected Assets

Certvde
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the command injection flaw in Modbus-TCP/RTU handling by applying vendor-specific patches or workarounds from CERT VDE advisories.

prevent

Validates and sanitizes specially crafted Modbus-TCP/RTU inputs to prevent command injection exploitation.

prevent

Enforces network boundary protections to restrict unauthenticated remote access to the vulnerable Modbus service.

References