CVE-2025-35996 KUNBUS GmbH CVE debrief

Who should care

Organizations running KUNBUS Revolution Pi / PiCtory, especially operators exposing management or configuration interfaces to authenticated users. This is most relevant where browser-based administration is used and where user-controlled filenames can be stored and later displayed.

Technical summary

The CISA CSAF advisory for ICSA-25-121-01 states that KUNBUS PiCtory version 2.11.1 and earlier are vulnerable to a stored cross-site scripting condition. The issue requires an authenticated remote attacker, low privileges, and user interaction, consistent with the CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H. The flaw arises because a crafted filename stored via API endpoints is later transmitted to the client without adequate escaping or sanitization, allowing script execution in the browser context.

Defensive priority

Immediate

Recommended defensive actions

• Upgrade PiCtory to version 2.12 as recommended by KUNBUS.
• Use the Cockpit management UI for the preferred update path where available.
• Enable authentication if it is not already active, following the vendor remediation guidance.
• Review any workflows that let users create or store filenames that are later displayed in the browser.
• Apply CISA and vendor guidance to reduce exposure in industrial control system administration interfaces.

Evidence notes

The supplied CISA CSAF source (ICSA-25-121-01) identifies affected product KUNBUS Revolution Pi PiCtory: <=2.11.1 and describes an authenticated remote XSS caused by a crafted filename being stored by API endpoints and later rendered without proper escaping. The same advisory lists remediation to update PiCtory to 2.12, recommends activating authentication, and notes that Update A added a new image release for Revolution Pi OS Bookworm in the mitigations. The CVSS vector provided in the source is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H.

Official resources