Deprecated SSH cryptographic settings

Advisory Information

• Advisory ID: BOSCH-SA-359440-BT
• CVE Numbers and CVSS v3.1 Scores:
  • CVE-2025-60034
    • Base Score: 7.4 (High)
• Published: 19 Nov 2025
• Last Updated: 19 Nov 2025

Summary

A security issue has been identified in the Bosch MAP 5000 family of products, which stems from the use of insecure cryptographic algorithms in the SSH service configuration. It may expose systems to cryptographic attacks, unauthorized access, or data leakage.

Affected Products

• Bosch MAP 5000 family
  • CVE-2025-60034
    • Version(s): < Bundle 1.48.1

Solution and Mitigations

Software Updates

The recommended approach is to update the affected Bosch firmware. If an update is not possible in a timely manner, users are recommended to follow the mitigations and workarounds described in the following section. The versions to fix this issue are listed in the Advisory Appendix.

A reboot of the device is required after uploading the update.

The version of the firmware should be checked after the update to confirm successful installation.

Network Segmentation

By segmenting the network, you can make it more difficult for an attacker to move laterally within the network, thus reducing the likelihood of a successful attack.

Vulnerability Details

CVE-2025-60034

CVE description: A vulnerability in the Bosch MAP 5000 panel SSH service configuration allows the use of insecure cryptographic algorithms, such as deprecated ciphers, MACs, or key exchange methods. These weak algorithms may be susceptible to cryptographic attacks, potentially enabling an attacker to decrypt or tamper with SSH traffic. Exploitation of this vulnerability could lead to unauthorized access, data leakage, or man-in-the-middle attacks.

• Problem Type:
  • CWE-327 Use of a Broken or Risky Cryptographic Algorithm
• CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Base Score: 7.4 (High)

Remarks

Security Update Information

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

CVSS Scoring

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

• [1] Contact us webpage: https://www.boschsecurity.com/en/contact/

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

• 19 Nov 2025: Initial Publication

Appendix

Certified Partner Portal

Firmware can be downloaded from the Certified Partner Portal. To get access to the Certified Partner Portal, please get in contact with your authorized MAP sales representative.

Fixed Versions