CVE-2025-41733

Critical

The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker…

CERTVDE·CWE-305·Published 2025-11-18

CVSS

9.8

EPSS

0.01

KEV

Exploits

cve.orgen

192 chars

The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.

NVDen

192 chars

The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
3.1	Primary	cve.org	9.8	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.1	Secondary	NVD	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H