CVE-2026-25872 in JUNG Smart Panel 5.1 KNX
Summary
by MITRE • 02/11/2026
JUNG Smart Panel KNX firmware version L1.12.22 and prior contain an unauthenticated path traversal vulnerability in the embedded web interface. The application fails to properly validate file path input, allowing remote, unauthenticated attackers to access arbitrary files on the underlying filesystem within the context of the web server. This may result in disclosure of system configuration files and other sensitive information.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/11/2026
The vulnerability identified as CVE-2026-25872 affects JUNG Smart Panel KNX firmware versions up to and including L1.12.22, representing a critical security flaw in industrial automation equipment. This issue manifests as an unauthenticated path traversal vulnerability within the device's embedded web interface, creating a significant attack surface for remote threat actors. The affected system operates within industrial control environments where security is paramount, making this vulnerability particularly concerning for operational technology infrastructure.
The technical flaw stems from inadequate input validation mechanisms within the web server component of the firmware. Specifically, the application fails to properly sanitize or validate file path parameters submitted through the web interface, allowing attackers to manipulate directory traversal sequences such as ../ or ..\ to navigate the filesystem outside of intended boundaries. This weakness directly maps to CWE-22, which describes improper limitation of a pathname to a restricted directory, commonly known as path traversal or directory traversal vulnerabilities. The vulnerability exists at the application layer where user-supplied input is processed without adequate sanitization or authorization checks.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with the ability to access sensitive system configuration files and other critical data stored on the device. In industrial environments, this could expose network configurations, authentication credentials, device settings, and potentially proprietary process control information. The unauthenticated nature of the attack means that any remote actor can exploit this flaw without requiring prior credentials or access rights, making the vulnerability particularly dangerous in environments where physical security measures may be insufficient. This type of vulnerability aligns with ATT&CK technique T1566.002, which covers the exploitation of web applications for credential access and information gathering.
Organizations utilizing JUNG Smart Panel KNX devices should immediately implement mitigations including firmware updates to versions that address this vulnerability, network segmentation to isolate affected devices, and monitoring for suspicious web interface access patterns. The embedded web interface should be disabled when not required for administration purposes, and access to the device should be restricted through network-level controls such as firewalls and access control lists. Additionally, regular security assessments of industrial control systems should include evaluation of web application vulnerabilities, as this represents a common entry point for attackers targeting operational technology environments. The vulnerability demonstrates the importance of applying security patches promptly in industrial environments where legacy systems may not receive regular updates, and highlights the need for robust input validation practices in all embedded web applications.