CVE-2025-24340 is a medium-severity vulnerability identified in Bosch Rexroth AG's ctrlX OS - Device Admin component, affecting versions 1.12.0, 1.20.0, and 2.6.0. The vulnerability stems from the use of password hashes with insufficient computational effort (CWE-916), specifically within the users configuration file. This weakness allows a remote attacker with low-privileged authenticated access to the system to potentially recover plaintext passwords of other users. The vulnerability does not require user interaction and can be exploited remotely over the network, but it does require the attacker to have some level of authentication, albeit low privilege. The CVSS 3.1 base score is 6.5, reflecting a medium severity level, with a vector indicating network attack vector (AV:N), low attack complexity (AC:L), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), high impact on confidentiality (C:H), and no impact on integrity or availability (I:N/A:N). The core issue is that the password hashes stored in the configuration file are generated using algorithms or parameters that do not provide sufficient computational difficulty, making them vulnerable to offline brute-force or dictionary attacks once accessed. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to the confidentiality of user credentials within affected ctrlX OS devices. Given ctrlX OS is an industrial automation operating system used in device administration, the exposure of plaintext passwords could lead to unauthorized access and lateral movement within industrial control environments.

For European organizations, particularly those in manufacturing, industrial automation, and critical infrastructure sectors that deploy Bosch Rexroth's ctrlX OS devices, this vulnerability could lead to significant confidentiality breaches. Attackers gaining access to plaintext passwords could escalate privileges, compromise additional devices, or disrupt operational technology environments. The exposure of credentials undermines trust in device authentication mechanisms and could facilitate further attacks such as unauthorized configuration changes or espionage. Since ctrlX OS is used in industrial control systems, the compromise could indirectly affect operational continuity and safety, even though integrity and availability impacts are not directly indicated by this vulnerability. The medium severity rating suggests a moderate but tangible risk, especially in environments where multiple users share device administration roles or where network segmentation is insufficient. The requirement for low-privileged authentication means that insider threats or attackers who have obtained initial access could exploit this vulnerability to expand their foothold.

1. Immediate mitigation should focus on upgrading ctrlX OS to patched versions once Bosch Rexroth releases them, as no patches are currently linked. 2. Until patches are available, restrict access to the Device Admin interface strictly to trusted personnel and networks, employing network segmentation and strong access controls. 3. Implement multi-factor authentication (MFA) where possible to reduce the risk posed by compromised passwords. 4. Regularly audit user accounts and credentials on ctrlX OS devices to detect suspicious activities or unauthorized access attempts. 5. Employ compensating controls such as monitoring and alerting on unusual authentication patterns or configuration file access. 6. Encourage the vendor to adopt stronger password hashing algorithms with adequate computational effort (e.g., Argon2, bcrypt with high iteration counts) in future releases to prevent similar weaknesses. 7. Educate users and administrators about the risks of password reuse and the importance of strong, unique passwords to limit the impact of potential plaintext password disclosure.