CVE-2025-32011 KUNBUS GmbH CVE debrief

Who should care

Industrial control system and OT operators using KUNBUS Revolution Pi PiCtory, especially systems running versions 2.5.0 through 2.11.1. Also relevant for administrators, integrators, and anyone responsible for remote access, authentication controls, or patching of Revolution Pi environments.

Technical summary

The source advisory states that KUNBUS PiCtory versions 2.5.0 through 2.11.1 contain an authentication bypass vulnerability caused by path traversal. Because the vulnerability is network-reachable and requires no privileges or user interaction, its attack surface is broad. The advisory’s remediation is to update PiCtory to version 2.12; it also recommends enabling authentication where applicable and notes that a Cockpit-based update path is preferred.

Defensive priority

Immediate

Recommended defensive actions

• Update KUNBUS PiCtory to version 2.12 as soon as possible.
• Use KUNBUS Cockpit to apply the update where that is the preferred management path.
• If immediate patching is not possible, activate authentication as recommended in the vendor remediation guide.
• Review exposed management interfaces and restrict access to trusted administrative networks only.
• Validate whether any Revolution Pi deployments are running affected PiCtory versions 2.5.0 through 2.11.1 and prioritize those systems for remediation.

Evidence notes

The debrief is based on the CISA CSAF advisory ICSA-25-121-01 and the linked CVE record. The advisory metadata names KUNBUS PiCtory versions 2.5.0 through 2.11.1 as affected and identifies update guidance to version 2.12. The advisory revision history shows the initial publication date as 2025-05-01 and Update A on 2025-07-10, which added a new image release to the mitigations.

Official resources