CVE Alert: CVE-2025-41722 - Sauter - modulo 6 devices modu680-AS

CVE-2025-41722

HIGHNo exploitation known

The wsc server uses a hard-coded certificate to check the authenticity of SOAP messages. An unauthenticated remote attacker can extract private keys from the Software of the affected devices.

CVSS v3.1 (7.5)

AV NETWORK · AC LOW · PR NONE · UI NONE · S UNCHANGED

Vendor

Sauter, Sauter, Sauter, Sauter, Sauter, Sauter

Product

modulo 6 devices modu680-AS, modulo 6 devices modu660-AS, modulo 6 devices modu612-LC, EY-modulo 5 modu 5 modu524, EY-modulo 5 modu 5 modu525, EY-modulo 5 ecos 5 ecos504/505

Versions

CWE

CWE-798, CWE-798 Use of Hard-coded Credentials

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Published

2025-10-22T06:58:31.679Z

Updated

2025-10-22T06:58:31.679Z

References

https://sauter.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-060.json

AI Summary Analysis

Risk verdict

High risk: unauthenticated remote extraction of private keys enables device impersonation and compromise of SOAP communications; warrants urgent attention.

Why this matters

Hard-coded credentials create a durable vulnerability that can be exploited without user interaction, risking disclosure of cryptographic material and impersonation of affected devices. In practice, attackers could access central management traffic, tamper with commands, or exfiltrate sensitive data across building automation deployments.

Most likely attack path

The CVSS indicates network-based, unauthenticated access with no privileges required and no user interaction. An attacker could reach the WSC service, extract private keys, and use them to sign or validate SOAP messages, effectively impersonating legitimate devices. If network segmentation is weak, there is potential for limited lateral movement within trusted management domains.

Who is most exposed

Common in building automation and energy-management installations where modulo devices run on local networks or bridged management systems; exposure increases when these endpoints are reachable from less-trusted networks or the internet.

Detection ideas

Unusual or unauthorized SOAP endpoint activity from unknown sources
Access to key/certificate stores or private-key exfiltration indicators
SOAP signature verification failures or unexpected certificates in use
Device identity mismatches or impersonation events
Elevated or anomalous access to WSC/admin APIs

Mitigation and prioritisation

Apply vendor firmware updates to remediate hard-coded credential weaknesses; implement strict patch/change-management processes.
Remove or rotate hard-coded credentials; deploy dynamic certificate handling and proper key management.
Enforce network controls: restrict WSC access, implement segmentation, and apply least-privilege for management traffic.
Increase logging/monitoring around key material access and SOAP/X509 validation events; set alerting for impersonation indicators.
If KEV is true or EPSS ≥ 0.5, treat as priority 1. Validate via vendor guidance and plan a staged remediation.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: CVE, cve-2025-41722, ey-modulo-5-ecos-5-ecos504-505, ey-modulo-5-modu-5-modu524, ey-modulo-5-modu-5-modu525, modulo-6-devices-modu612-lc, modulo-6-devices-modu660-as, modulo-6-devices-modu680-as, OSINT, sauter, threatintel

CVE Alert: CVE-2025-41722 – Sauter – modulo 6 devices modu680-AS