CVE-2025-41733

Name of the Vulnerable Software and Affected Versions versions prior to 2.3

Description The commissioning wizard does not validate if the device is already initialized. This allows an unauthenticated remote attacker to construct HTTP POST requests to set or modify root credentials without authentication. The affected devices are vulnerable to a root credential bypass due to insufficient validation during the commissioning process. The vulnerability enables attackers to gain unauthorized access and control over the device. The API endpoint used for this is a POST request to the commissioning wizard. The device is vulnerable to unauthorized modification of root credentials.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.