PatchSiren cyber security CVE debrief
CVE-2025-41646 KUNBUS CVE debrief
CVE-2025-41646 affects KUNBUS Revolution Pi Webstatus and is rated Critical (CVSS 9.8). CISA’s CSAF advisory says the password check can be bypassed because of implicit type conversion, allowing incorrect authentication when the JSON value TRUE is supplied in the password parameter hashcode. KUNBUS provides a fixed Webstatus package version 2.4.6. The advisory also lists several Revolution Pi OS Bullseye releases in the affected set. No KEV entry is listed in the supplied data.
- Vendor
- KUNBUS
- Product
- Revolution Pi Webstatus
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-07-10
- Original CVE updated
- 2025-07-10
- Advisory published
- 2025-07-10
- Advisory updated
- 2025-07-10
Who should care
KUNBUS Revolution Pi operators, OT/ICS administrators, plant engineers, and incident responders responsible for Revolution Pi Webstatus installations or Revolution Pi OS Bullseye systems listed in the advisory.
Technical summary
The advisory describes an authentication bypass in the Webstatus application’s password validation path. A JSON TRUE value in the password parameter hashcode can trigger implicit type conversion and lead to an incorrect authentication outcome. The vulnerable Webstatus release is <= 2.4.5; KUNBUS identifies Webstatus 2.4.6 as the updated package. The CSAF advisory enumerates additional Revolution Pi OS Bullseye build entries as affected products.
Defensive priority
Critical. The supplied CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a remotely reachable, unauthenticated issue with high confidentiality, integrity, and availability impact.
Recommended defensive actions
- Prioritize upgrading Revolution Pi Webstatus to version 2.4.6 using the vendor package or apt-get update && apt-get upgrade, as directed by KUNBUS.
- If immediate upgrading is not possible, follow the workarounds and mitigations in the CISA/KUNBUS advisory for all affected product entries.
- Inventory all Revolution Pi Webstatus deployments and compare against the affected version range (<= 2.4.5).
- Validate whether any Revolution Pi OS Bullseye installations listed in the advisory bundle Webstatus and should be included in remediation planning.
- Confirm post-change authentication behavior and monitor for unexpected authentication attempts against Webstatus.
Evidence notes
Based on CISA CSAF ICSA-25-191-09 and the supplied advisory metadata, CVE-2025-41646 was initially published on 2025-07-10 and describes an authentication bypass in KUNBUS Revolution Pi Webstatus caused by implicit type conversion when JSON TRUE is supplied in the password parameter hashcode. The affected Webstatus range is <= 2.4.5, with vendor fix 2.4.6. Supplied enrichment marks the issue as not listed in CISA KEV.
Official resources
-
CVE-2025-41646 CVE record
CVE.org
-
CVE-2025-41646 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the CSAF advisory ICSA-25-191-09 for CVE-2025-41646 on 2025-07-10. The supplied corpus shows the initial publication date only; no later revision is included in the provided data.