CVE-2025-40569

Name of the Vulnerable Software and Affected Versions RUGGEDCOM RST2428P versions prior to V3.2 SCALANCE XC316-8 versions prior to V3.2 SCALANCE XC324-4 versions prior to V3.2 SCALANCE XC324-4 EEC versions prior to V3.2 SCALANCE XC332 versions prior to V3.2 SCALANCE XC416-8 versions prior to V3.2 SCALANCE XC424-4 versions prior to V3.2 SCALANCE XC432 versions prior to V3.2 SCALANCE XCH328 versions prior to V3.2 SCALANCE XCM324 versions prior to V3.2 SCALANCE XCM328 versions prior to V3.2 SCALANCE XCM332 versions prior to V3.2 SCALANCE XR302-32 versions prior to V3.2 SCALANCE XR322-12 versions prior to V3.2 SCALANCE XR326-8 versions prior to V3.2 SCALANCE XR326-8 EEC versions prior to V3.2 SCALANCE XR502-32 versions prior to V3.2 SCALANCE XR522-12 versions prior to V3.2 SCALANCE XR526-8 versions prior to V3.2 SCALANCE XRH334 versions prior to V3.2 SCALANCE XRM334 versions prior to V3.2

Description A race condition vulnerability has been identified in the "Load Configuration from Local PC" functionality in the web interface of affected products. This could allow an authenticated remote attacker to make the affected product load an attacker-controlled configuration instead of the legitimate one. Successful exploitation requires that a legitimate administrator invokes the functionality and the attacker wins the race condition.

Recommendations For all affected versions, update to version V3.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "Load Configuration from Local PC" functionality in the web interface until a patch is available.