CVE Alert: CVE-2025-41719 – Sauter – modulo 6 devices modu680-AS
CVE-2025-41719
A low privileged remote attacker can corrupt the webserver users storage on the device by setting a sequence of unsupported characters which leads to deletion of all previously configured users and the creation of the default Administrator with a known default password.
AI Summary Analysis
**Risk verdict** High risk. A remote attacker can corrupt the webserver user storage, delete all configured users and create a default Administrator with a known password, with no user interaction required.
**Why this matters** This enables immediate footholds, full admin access and potential persistence across affected devices in building automation contexts. Attacker objectives may include covert control, disruption of operations, data access or manipulation, and easier lateral movement within networked facilities.
**Most likely attack path** Exploitation requires network access to the device’s web interface and low privileges, with no UI interaction. The root cause is improper validation of user‑controlled input, allowing crafted characters to trigger administrative account replacement. Once the default admin is created, an attacker can assume full control and extend reach to other components or systems connected to the same network.
**Who is most exposed** Sauter modulo 5/6 devices and EY modulo 5 series used in building management and industrial automation are exposed, especially where devices are reachable from LAN or externally via VPN/web access without strong segmentation.
Detection ideas
- Alerts for creation of a new admin user or changes to admin credentials.
- Logs showing sequences of unusual or unsupported characters submitted to the web UI.
- Unexpected changes to the user store or authentication data files.
- Access attempts from new/unknown networks or IPs targeting the web interface.
- Anomalous device reboots or admin session activity.
Mitigation and prioritisation
- Patch to firmware v3.2.0 (or latest) across affected models; verify fleet-wide updates.
- If patching is constrained, enforce network controls: restrict web UI to trusted networks, require VPN, and implement strict access controls and segmentation.
- Disable or restrict remote admin capabilities; enforce backup and credential rotation; monitor admin account creation and changes.
- Establish change-management and test in staging; verify integrity of user storage post-update.
- If KEV present or EPSS ≥ 0.5, treat as priority 1; otherwise, label as high-priority remediation.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
