CVE Alert: CVE-2025-41724 - Sauter - modulo 6 devices modu680-AS

CVE-2025-41724

HIGHNo exploitation known

An unauthenticated remote attacker can crash the wscserver by sending incomplete SOAP requests. The wscserver process will not be restarted by a watchdog and a device reboot is necessary to make it work again.

CVSS v3.1 (7.5)

AV NETWORK · AC LOW · PR NONE · UI NONE · S UNCHANGED

Vendor

Sauter, Sauter, Sauter, Sauter, Sauter, Sauter

Product

modulo 6 devices modu680-AS, modulo 6 devices modu660-AS, modulo 6 devices modu612-LC, EY-modulo 5 modu 5 modu524, EY-modulo 5 modu 5 modu525, EY-modulo 5 ecos 5 ecos504/505

Versions

CWE

CWE-239, CWE-239:Failure to Handle Incomplete Element

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Published

2025-10-22T07:03:50.109Z

Updated

2025-10-22T07:03:50.109Z

References

https://sauter.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-060.json

AI Summary Analysis

Risk verdict

High risk: unauthenticated remote denial-of-service to the wscserver via incomplete SOAP requests; no user interaction required, and availability impact is high.

Why this matters

The affected devices underpin building automation and control functions; a successful attack could take multiple units offline, risking service disruption and potential safety or operational issues. Real-world attacker goals would likely be service disruption, impact on schedules, and potential cascading effects on connected systems.

Most likely attack path

Attacker gains network access to the wscserver endpoint (no authentication required).
Sends incomplete SOAP requests that the service cannot handle, causing a crash.
The watchdog does not restart the wscserver, so a manual reboot is required, enabling repeated attempts or broader downtime.
With scope unchanged, exploitation would primarily affect availability rather than confidentiality or integrity.

Who is most exposed

Devices in building automation deployments (modulo 6 and EY-modulo 5 lines) with network-accessible wscserver endpoints, particularly those running firmware older than the stated fixed versions.

Detection ideas

Monitor for wscserver crash events and subsequent reboot requests.
Detect incomplete or malformed SOAP payloads targeting the wscserver port.
Look for watchdog failure events or prolonged service downtime following SOAP traffic bursts.
Correlate sudden spikes in SOAP requests with uptime drops on affected devices.

Mitigation and prioritisation

Patch to the fixed firmware: modulo 6 devices to v3.2.0+; EY-modulo 5 devices to v6.0+ (or vendor-released equivalents).
Enforce network controls: restrict wscserver access to trusted networks; implement firewall rules and network segmentation.
Disable or strongly constrain unauthenticated SOAP endpoints if feasible; enable input validation and robust error handling.
Establish change-management windows for firmware upgrades; test in staging where possible before broad deployment.
If KEV is confirmed or EPSS ≥ 0.5, treat as priority 1; otherwise pursue high-priority remediation with targeted monitoring.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: CVE, cve-2025-41724, ey-modulo-5-ecos-5-ecos504-505, ey-modulo-5-modu-5-modu524, ey-modulo-5-modu-5-modu525, modulo-6-devices-modu612-lc, modulo-6-devices-modu660-as, modulo-6-devices-modu680-as, OSINT, sauter, threatintel

CVE Alert: CVE-2025-41724 – Sauter – modulo 6 devices modu680-AS