CVE-2025-41646
published 2025-06-06CVE-2025-41646: An unauthorized remote attacker can bypass the authentication of the affected software package by misusing an incorrect type conversion. This leads to full…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
40.73%
98.5th percentile
An unauthorized remote attacker can bypass the authentication of the affected software package by misusing an incorrect type conversion. This leads to full compromise of the device
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kunbus | revolution_pi_webstatus | 0.0.0 – 2.4.5 | — |
| kunbus | revpi_status | < 2.4.6 | 2.4.6 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect authentication bypass attempts by monitoring POST requests to /php/dal.php containing a JSON body where the 'hashcode' field is the boolean value true (not a string hash). A legitimate login would supply a string hash, not a boolean. ↗
- →Match HTTP 200 responses to /php/dal.php that contain both '"status":"SUCCESS"' and '"sessionId":' following a request with hashcode set to boolean true — this indicates a successful authentication bypass. ↗
- →Use Shodan query 'title:"RevPi"' to identify internet-exposed Revolution Pi Webstatus instances that may be vulnerable. ↗
- →Flag any RevPi Webstatus instances running version 2.4.5 or prior (including those shipped with Revolution Pi OS Bullseye images from 02/2024, 04/2024, 06/2023, 07/2023, 09/2023) as vulnerable. ↗
- ·The exploit payload requires Content-Type: application/json and the 'hashcode' field must be the raw JSON boolean 'true', not the string "true". Type coercion only triggers with the boolean type. ↗
- ·The vulnerability is in the 'dal.php' endpoint's LOGIN mode handler; any username (e.g., 'admin') combined with hashcode:true is sufficient to bypass authentication — no valid password hash is required. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q5w3-ffhf-j4gq: An unauthorized remote attacker can bypass the authentication of the affected software package by misusing an incorrect type conversion
ghsa_unreviewed·2025-06-06
CVE-2025-41646 [CRITICAL] CWE-704 GHSA-q5w3-ffhf-j4gq: An unauthorized remote attacker can bypass the authentication of the affected software package by misusing an incorrect type conversion
An unauthorized remote attacker can bypass the authentication of the affected software package by misusing an incorrect type conversion. This leads to full compromise of the device
VulnCheck
kunbus revpi_status Incorrect Type Conversion or Cast
vulncheck·2025·CVSS 9.8
CVE-2025-41646 [CRITICAL] kunbus revpi_status Incorrect Type Conversion or Cast
kunbus revpi_status Incorrect Type Conversion or Cast
An unauthorized remote attacker can bypass the authentication of the affected software package by misusing an incorrect type conversion. This leads to full compromise of the device
Affected: kunbus revpi_status
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-41646; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-07-30&host_type=src&vulnerability=cve-2025-41646; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-07-31&host_type=src&vulnerability=cve-2025-41646; https://dashboard.shadowse
CISA ICS
KUNBUS RevPi Webstatus
cisa_ics·2025-07-10·CVSS 9.8
[CRITICAL] KUNBUS RevPi Webstatus
ICS Advisory
##
KUNBUS RevPi Webstatus
Release DateJuly 10, 2025
Alert CodeICSA-25-191-09
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: KUNBUS
- Equipment: RevPi Webstatus
- Vulnerability: Incorrect Implementation of Authentication Algorithm
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow attackers to bypass authentication and gain unauthorized access to the application.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
KUNBUS reports the following products are affected:
- Revolution Pi Webstatus: Version 2.4.5 and prior
- Revolution Pi OS Bullseye: 04/2024
- Revolu
No detection rules found.
Nuclei
RevPi Webstatus <= v2.4.5 - Authentication Bypass
nuclei·CVSS 9.8
CVE-2025-41646 [CRITICAL] RevPi Webstatus <= v2.4.5 - Authentication Bypass
RevPi Webstatus <= v2.4.5 - Authentication Bypass
An unauthorized remote attacker can bypass the authentication of the affected software package by misusing an incorrect type conversion. This leads to full compromise of the device
Template:
id: CVE-2025-41646
info:
name: RevPi Webstatus <= v2.4.5 - Authentication Bypass
author: DhiyaneshDK
severity: critical
description: |
An unauthorized remote attacker can bypass the authentication of the affected software package by misusing an incorrect type conversion. This leads to full compromise of the device
impact: |
Unauthenticated attackers can bypass authentication through incorrect type conversion in the login mechanism, achieving complete device compromise.
remediation: |
Upgrade RevPi Webstatus to version 2.4.6 or later that properly va
No writeups or analysis indexed.
2025-06-06
Published
Exploited in the wild