cbcvebase.
CVE-2025-41646
published 2025-06-06

CVE-2025-41646: An unauthorized remote attacker can bypass the authentication of the affected software package by misusing an incorrect type conversion. This leads to full…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
40.73%
98.5th percentile
An unauthorized remote attacker can bypass the authentication of the affected software package by misusing an incorrect type conversion. This leads to full compromise of the device

Affected

2 ranges
VendorProductVersion rangeFixed in
kunbusrevolution_pi_webstatus0.0.0 – 2.4.5
kunbusrevpi_status< 2.4.62.4.6

Detection & IOCsextracted from sources · hover to see the quote

url/php/dal.php
command{"mode":"LOGIN","username":"admin","hashcode":true}
  • Detect authentication bypass attempts by monitoring POST requests to /php/dal.php containing a JSON body where the 'hashcode' field is the boolean value true (not a string hash). A legitimate login would supply a string hash, not a boolean.
  • Match HTTP 200 responses to /php/dal.php that contain both '"status":"SUCCESS"' and '"sessionId":' following a request with hashcode set to boolean true — this indicates a successful authentication bypass.
  • Use Shodan query 'title:"RevPi"' to identify internet-exposed Revolution Pi Webstatus instances that may be vulnerable.
  • Flag any RevPi Webstatus instances running version 2.4.5 or prior (including those shipped with Revolution Pi OS Bullseye images from 02/2024, 04/2024, 06/2023, 07/2023, 09/2023) as vulnerable.
  • ·The exploit payload requires Content-Type: application/json and the 'hashcode' field must be the raw JSON boolean 'true', not the string "true". Type coercion only triggers with the boolean type.
  • ·The vulnerability is in the 'dal.php' endpoint's LOGIN mode handler; any username (e.g., 'admin') combined with hashcode:true is sufficient to bypass authentication — no valid password hash is required.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.