Wattsense Bridge up to 6.4.0 missing protection mechanism for alternate hardware interface
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.3 | $0-$5k | 0.00 |
Summary
A vulnerability marked as critical has been reported in Wattsense Bridge up to 6.4.0. This affects an unknown function. Performing a manipulation results in missing protection mechanism for alternate hardware interface. This vulnerability is known as CVE-2025-26409. The attack may be carried out on the physical device. No exploit is available. It is suggested to upgrade the affected component.
Details
A vulnerability was found in Wattsense Bridge up to 6.4.0. It has been classified as critical. This affects an unknown code. The manipulation with an unknown input leads to a missing protection mechanism for alternate hardware interface vulnerability. CWE is classifying the issue as CWE-1299. The lack of protections on alternate paths to access
control-protected assets (such as unprotected shadow registers
and other external facing unguarded interfaces) allows an
attacker to bypass existing protections to the asset that are
only performed against the primary path. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:
A serial interface can be accessed with physical access to the PCB of Wattsense Bridge devices. After connecting to the interface, access to the bootloader is possible, as well as a Linux login prompt. The bootloader access can be used to gain a root shell on the device. This issue is fixed in recent firmware versions BSP >= 6.4.1.
The weakness was published by Steffen Robertz. It is possible to read the advisory at r.sec-consult.com. This vulnerability is uniquely identified as CVE-2025-26409 since 02/10/2025. Attacking locally is a requirement. The technical details are unknown and an exploit is not publicly available.
Upgrading to version 6.4.1 eliminates this vulnerability.
Be aware that VulDB is the high quality source for vulnerability data.
Product
Vendor
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.6VulDB Meta Temp Score: 6.3
VulDB Base Score: 6.6
VulDB Temp Score: 6.3
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Missing protection mechanism for alternate hardware interfaceCWE: CWE-1299
CAPEC: 🔍
ATT&CK: 🔍
Physical: Yes
Local: Yes
Remote: No
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Bridge 6.4.1
Timeline
02/10/2025 🔍02/11/2025 🔍
02/11/2025 🔍
03/18/2025 🔍
Sources
Advisory: r.sec-consult.comResearcher: Steffen Robertz
Status: Confirmed
CVE: CVE-2025-26409 (🔍)
GCVE (CVE): GCVE-0-2025-26409
GCVE (VulDB): GCVE-100-295215
Entry
Created: 02/11/2025 10:53Updated: 03/18/2025 05:14
Changes: 02/11/2025 10:53 (20), 02/11/2025 10:56 (34), 03/18/2025 05:14 (1)
Complete: 🔍
Committer: mitr
Cache ID: 216::103
Be aware that VulDB is the high quality source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.