CVE-2025-36558 KUNBUS GmbH CVE debrief

Who should care

Operators and integrators running KUNBUS PiCtory 2.11.1 or earlier, especially in environments where users may open PiCtory links from emails, tickets, chat, or external systems. Security teams responsible for web application hardening and industrial control system support should also review exposure.

Technical summary

The affected component is KUNBUS PiCtory <= 2.11.1. The weakness is a cross-site scripting condition involving the sso_token authentication parameter. The vulnerable behavior is reflected content handling: if a crafted URL is delivered to a user, script content placed in sso_token can be echoed back and executed in the user’s browser. The CVSS v3.1 vector provided by the source is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network reachability, no privileges required, and user interaction.

Defensive priority

Medium

Recommended defensive actions

• Upgrade PiCtory to version 2.12 as recommended in the CSAF advisory.
• Prefer the KUNBUS Cockpit management UI for the update process, or use the vendor-provided package source referenced in the advisory.
• Enable authentication where it is not already active, following the KUNBUS remediation guidance.
• Review links and workflows that distribute PiCtory URLs to users, and treat untrusted sso_token values as suspicious.
• Re-check the advisory after the 2025-07-10 Update A, which added a new Revolution Pi OS Bookworm image release to the mitigations.

Evidence notes

All core claims are taken from the CISA CSAF advisory ICSA-25-121-01 and its included notes/references: PiCtory 2.11.1 and earlier are affected; the issue is cross-site scripting via sso_token; and version 2.12 is the stated update target. The advisory revision history shows the initial publication on 2025-05-01 and Update A on 2025-07-10, which added a new image release to mitigations. CVSS and vector details are taken from the advisory metadata.

Official resources