CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-26411: Authenticated Arbitrary Python File Upload via Plugin Manager

Description

An authenticated attacker is able to use the Plugin Manager of the web interface of the Wattsense Bridge devices to upload malicious Python files to the device. This enables an attacker to gain remote root access to the device. An attacker needs a valid user account on the Wattsense web interface to be able to conduct this attack. This issue is fixed in recent firmware versions BSP >= 6.1.0.

Classification

CVE ID: CVE-2025-26411

Affected Products

Vendor: Wattsense

Product: Wattsense Bridge

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.94% (scored less or equal to compared to others)

EPSS Date: 2025-03-12 (when was this score calculated)

References

https://r.sec-consult.com/wattsense
https://support.wattsense.com/hc/en-150/articles/13366066529437-Release-Notes

Timeline

2025-02-12 00:31:41 UTC
CVE

Authenticated Arbitrary Python File Upload via Plugin Manager