Skip to main

Multiple ctrlX OS vulnerabilities

BOSCH-SA-640452

Advisory Information

Summary

The base ctrlX OS apps Device Admin and Solutions contain multiple vulnerabilities. In a worst case scenario, a remote authenticated (low-privileged) attacker might be able to execute arbitrary OS commands running with higher privileges. The vulnerabilities have been uncovered and disclosed responsibly by Nozomi. We thank them for making a responsible disclosure with us.

Affected Products

  • Bosch Rexroth AG ctrlX OS - Device Admin
    • CVE-2025-24339, CVE-2025-24340, CVE-2025-24341, CVE-2025-24342, CVE-2025-24346, CVE-2025-24347, CVE-2025-24348, CVE-2025-24349, CVE-2025-24350
      • Version(s): 1.12.0 - 1.12.9 (including)
      • Version(s): 1.20.0 - 1.20.7 (including)
      • Version(s): 2.6.0 - 2.6.8 (including)
    • CVE-2025-24345, CVE-2025-24351
      • Version(s): 1.20.0 - 1.20.7 (including)
      • Version(s): 2.6.0 - 2.6.8 (including)
    • CVE-2025-27532
      • Version(s): 1.12.0 - 1.12.9 (including)
      • Version(s): 1.20.0 - 1.20.7 (including)
  • Bosch Rexroth AG ctrlX OS - Solutions
    • CVE-2025-24338, CVE-2025-24343, CVE-2025-24344
      • Version(s): 1.12.0 - 1.12.1 (including)
      • Version(s): 1.20.0 - 1.20.1 (including)
      • Version(s): 2.6.0 - 2.6.0 (including)

Solution and Mitigations

Solution

Updated versions of the affected components are available for all LTS releases. The user is strongly recommended to update to the latest versions. The update of the apps might require a reboot of the device and the device will therefore temporarily become unavailable. To verify that the updated versions are installed, please check the version by using the package management of the device.

Mitigation

The vulnerabilities affected by

  • CVE-2025-24338

  • CVE-2025-24340

  • CVE-2025-24341

  • CVE-2025-24343

  • CVE-2025-24345

  • CVE-2025-24346

  • CVE-2025-24347

  • CVE-2025-24348

  • CVE-2025-24349

  • CVE-2025-24350

  • CVE-2025-24351

  • CVE-2025-27352

cannot be exploited remotely without prior authentication. To exploit the vulnerabilities, an attacker must be logged in on the device. Additionally, the attacker must be permitted to use at least one of the affected functionalities on the device. Therefore, only assign permissions following the "Least-Privilege" principle. Additionally, make sure that for all user accounts strong password policies are enforced. The default password policies of ctrlX OS are considered as sufficiently strong.

For the following CVEs, please apply individual measures:

  • CVE-2025-24339: Make sure that all links are verified before clicking them and always access ctrlX OS using the secure https address, only

  • CVE-2025-24342: Make sure that for all user accounts strong password policies are set so that even when an attacker is able to determine that a specific account exists, brute-forcing the password is not feasible

  • CVE-2025-24344: Make sure that artefacts are coming from a trustworthy source before uploading them to ctrlX OS

Nevertheless, it is strongly advised to use up-to-date versions of the affected apps.

Vulnerability Details

CVE-2025-24338

CVE description: A vulnerability in the “Manages app data” functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to execute arbitrary client-side code in the context of another user’s browser via multiple crafted HTTP requests.

CVE-2025-24339

CVE description: A vulnerability in the web application of ctrlX OS allows a remote unauthenticated attacker to conduct various attacks against users of the vulnerable system, including web cache poisoning or Man-in-the-Middle (MitM), via a crafted HTTP request.

CVE-2025-24340

CVE description: A vulnerability in the users configuration file of ctrlX OS may allow a remote authenticated (low-privileged) attacker to recover the plaintext passwords of other users.

CVE-2025-24341

CVE description: A vulnerability in the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to induce a Denial-of-Service (DoS) condition on the device via multiple crafted HTTP requests. In the worst case, a full power cycle is needed to regain control of the device.

CVE-2025-24342

CVE description: A vulnerability in the login functionality of the web application of ctrlX OS allows a remote unauthenticated attacker to guess valid usernames via multiple crafted HTTP requests.

CVE-2025-24343

CVE description: A vulnerability in the “Manages app data” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to write arbitrary files in arbitrary file system paths via a crafted HTTP request.

CVE-2025-24344

CVE description: A vulnerability in the error notification messages of the web application of ctrlX OS allows a remote unauthenticated attacker to inject arbitrary HTML tags and, possibly, execute arbitrary client-side code in the context of another user’s browser via a crafted HTTP request.

CVE-2025-24345

CVE description: A vulnerability in the “Hosts” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to manipulate the “hosts” file in an unintended manner via a crafted HTTP request.

CVE-2025-24346

CVE description: A vulnerability in the “Proxy” functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to manipulate the “/etc/environment” file via a crafted HTTP request.

CVE-2025-24347

CVE description: A vulnerability in the “Network Interfaces” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to manipulate the network configuration file via a crafted HTTP request.

CVE-2025-24348

CVE description: A vulnerability in the “Network Interfaces” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to manipulate the wireless network configuration file via a crafted HTTP request.

CVE-2025-24349

CVE description: A vulnerability in the “Network Interfaces” functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to delete the configuration of physical network interfaces via a crafted HTTP request.

CVE-2025-24350

CVE description: A vulnerability in the “Certificates and Keys” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to write arbitrary certificates in arbitrary file system paths via a crafted HTTP request.

CVE-2025-24351

CVE description: A vulnerability in the “Remote Logging” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to execute arbitrary OS commands in the context of user “root” via a crafted HTTP request.

CVE-2025-27532

CVE description: A vulnerability in the “Backup & Restore” functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to access secret information via multiple crafted HTTP requests.

Remarks

Security Update Information

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

CVSS Scoring

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

  • 25 Apr 2025: Initial Publication

Appendix

Acknowledgement

These vulnerabilities have been uncovered and disclosed responsibly by Andrea Palanca from Nozomi Networks . We thank him for making a responsible disclosure with us.