Critical flaws in KUNBUS Revolution Pi industrial control systems enable authentication bypass and command execution
Take action: If you have KUNBUS Revolution Pi industrial control systems, as usual first check that they are isolated from the internet and accessible only from trusted networks. Then check your versions and update to the latest releases (PiCtory 2.12, Webstatus 2.4.6, and the new OS Bookworm image from April 2025). There a lot of nasty flaws in the product, so don't ignore patching.
Learn More
CISA has issued advisories warning of flaws in KUNBUS GmbH's Revolution Pi industrial control systems that could allow attackers to bypass authentication mechanisms, gain unauthorized access to critical functions, and execute malicious commands on industrial infrastructure.
Revolution Pi systems are industrial computing platforms built on Raspberry Pi hardware that serve as programmable logic controllers (PLCs) and IoT gateways in industrial automation environments.
The vulnerabilities were discovered by security researchers Adam Bromiley of Pen Test Partners and Ajay Anto, who reported their findings to KUNBUS's Product Security Incident Response Team (PSIRT) and CISA through coordinated disclosure processes. The security flaws cover two separate CISA advisories for different components of the Revolution Pi ecosystem.
Vulnerability summary:
ICSA-25-121-01 - Revolution Pi Core Vulnerabilities:
- CVE-2025-24522 (CVSS score 9.3) - Missing Authentication for Critical Function, tracked as critical severity . The Node-RED server in Revolution Pi OS Bookworm lacks default authentication, allowing unauthenticated attackers to execute arbitrary commands on the operating system.
- CVE-2025-32011 (CVSS score 9.3) - Authentication Bypass by Primary Weakness. KUNBUS PiCtory versions 2.5.0 through 2.11.1 contain an authentication bypass vulnerability where remote attackers can bypass authentication through path traversal exploitation.
- CVE-2025-35996 (CVSS score 8.5) - Improper Neutralization of Server-Side Includes (SSI) Within a Web Page. PiCtory versions 2.11.1 and earlier allow authenticated attackers to craft malicious filenames that can be executed as HTML script tags, resulting in cross-site scripting attacks.
- CVE-2025-36558 (CVSS score 5.1) - Improper Neutralization of Server-Side Includes (SSI) Within a Web Page, rated as medium severity. PiCtory versions 2.11.1 and earlier are vulnerable to cross-site scripting attacks via the sso_token authentication parameter.
ICSA-25-191-09 - RevPi Webstatus Vulnerability:
- CVE-2025-41646 (CVSS score 9.3) - Incorrect Implementation of Authentication Algorithm. The Revolution Pi Webstatus application versions 2.4.5 and prior contain an authentication bypass vulnerability due to improper password verification that allows JSON boolean values to bypass authentication checks.
The vulnerabilities impact multiple product lines and versions across the KUNBUS Revolution Pi ecosystem:
- Revolution Pi OS Bookworm: Versions 01/2025 and earlier
- Revolution Pi PiCtory: Versions 2.5.0 through 2.11.1
Revolution Pi Webstatus: Version 2.4.5 and earlier - Revolution Pi OS Bullseye: Multiple releases from 06/2023 through 04/2024\
KUNBUS has released PiCtory version 2.12 to address the core vulnerabilities and plans to provide additional security enhancements through a new Cockpit plugin by the end of April 2025. For the Webstatus vulnerability, KUNBUS released version 2.4.6 to correct the authentication bypass flaw.
KUNBUS published a new image for Revolution Pi OS Bookworm on April 30, 2025, and provides instructions for users to manually activate authentication on Node-RED servers as an interim measure.
The company recommends updating through their management UI Cockpit, but manual update packages are also available for direct download.
Organizations using KUNBUS Revolution Pi systems should inventory their deployments, check installed versions against the vulnerable ranges, and prioritize applying available security updates.
