Skip to main

Vulnerabilities in ctrlX OS - Setup

BOSCH-SA-129652

Advisory Information

Summary

The base ctrlX OS Setup app contains multiple vulnerabilities. In a worst case scenario, an authenticated (low privileged) attacker to gain remote access to backup archives created by a user with elevated permissions. Depending on the content of the backup archive, the attacker may have been able to access sensitive data.

Affected Products

  • Bosch Rexroth AG ctrlX OS - Setup
    • CVE-2025-48860, CVE-2025-48861, CVE-2025-48862
      • Version(s): 1.20.0 - 1.20.1 (including)
      • Version(s): 2.6.0 - 2.6.1 (including)
      • Version(s): 3.6.0 - 3.6.2 (including)

Solution and Mitigations

Solution

An updated version of the affected component is available for all long term supported (LTS) releases. The user is strongly recommended to update to the latest version. The update of the app might require a reboot of the device and the device will therefore temporarily become unavailable. To verify that the updated version is installed, please check the version by using the package management of the device.

Mitigation

For the following vulnerabilities, countermeasures exist which mitigate the risk:

  • CVE-2025-48860: When a backup has been created and downloaded, delete the created backup file using the web interface.

  • CVE-2025-48862: When encryption is required for the files contained in the backup, use an external program to encrypt the backup file after the download.

Nevertheless, it is strongly advised to use an up-to-date version of the affected app.

Vulnerability Details

CVE-2025-48860

CVE description: A vulnerability in the web application of the ctrlX OS setup mechanism facilitated an authenticated (low privileged) attacker to gain remote access to backup archives created by a user with elevated permissions. Depending on the content of the backup archive, the attacker may have been able to access sensitive data.

CVE-2025-48861

CVE description: A vulnerability in the Task API endpoint of the ctrlX OS setup mechanism allowed a remote, unauthenticated attacker to access and extract internal application data, including potential debug logs and the version of installed apps.

CVE-2025-48862

CVE description: Ambiguous wording in the web interface of the ctrlX OS setup mechanism could lead the user to believe that the backup file is encrypted when a password is set. However, only the private key - if available in the backup - is encrypted, while the backup file itself remains unencrypted.

Remarks

Security Update Information

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

CVSS Scoring

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

  • 14 Aug 2025: Initial Publication

Appendix

Acknowledgement

The vulnerabilities have been uncovered and disclosed responsibly by Michael Messner and Benedikt Kuehne from Siemens Energy . We thank them for making a responsible disclosure with us.