CVE-2025-24345 is a medium-severity vulnerability affecting Bosch Rexroth AG's ctrlX OS - Device Admin web application, specifically within its “Hosts” functionality. The flaw stems from improper validation of the syntactic correctness of input (CWE-1286), allowing a remote attacker with low-privileged authenticated access to manipulate the system's hosts file via a crafted HTTP request. The hosts file is critical for mapping hostnames to IP addresses locally, and unauthorized modifications can lead to redirection of network traffic, interception, or denial of service. The vulnerability affects versions 1.20.0 and 2.6.0 of ctrlX OS - Device Admin. Exploitation does not require user interaction but does require the attacker to have some level of authentication, albeit low privilege, which lowers the barrier compared to higher privilege requirements. The CVSS v3.1 base score is 6.3, reflecting a medium severity with network attack vector, low attack complexity, and impacts on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability arises because the web application fails to properly validate the syntax of input data when modifying the hosts file, enabling crafted requests to inject or alter entries improperly. This can lead to malicious redirection of network requests, potential man-in-the-middle attacks, or disruption of device communications within industrial control environments where ctrlX OS is deployed.

For European organizations, particularly those in industrial automation, manufacturing, and critical infrastructure sectors that deploy Bosch Rexroth's ctrlX OS, this vulnerability poses a significant risk. Manipulation of the hosts file can redirect internal network traffic to malicious endpoints, enabling espionage, data exfiltration, or sabotage of industrial processes. The integrity and availability of control systems could be compromised, potentially leading to operational downtime or safety hazards. Confidentiality is also at risk if attackers redirect traffic to intercept sensitive communications. Given ctrlX OS's role in device administration within industrial environments, exploitation could disrupt production lines or critical infrastructure services. The requirement for low-privileged authentication means insider threats or compromised credentials could be leveraged to exploit this flaw, increasing risk. Although no public exploits exist yet, the potential impact on industrial control systems and supply chains in Europe is notable, especially in sectors reliant on Bosch Rexroth technology.

1. Implement strict access controls and monitoring on ctrlX OS Device Admin interfaces to limit low-privileged user access and detect anomalous HTTP requests targeting the hosts functionality. 2. Employ network segmentation to isolate industrial control systems running ctrlX OS from general IT networks, reducing exposure to remote attackers. 3. Enforce multi-factor authentication and strong credential management to reduce risk of low-privileged account compromise. 4. Conduct regular integrity checks on hosts files and system configurations to detect unauthorized modifications promptly. 5. If possible, apply input validation filters or web application firewalls (WAFs) that can detect and block malformed or suspicious HTTP requests targeting the hosts file functionality. 6. Coordinate with Bosch Rexroth for timely patches or updates once available, and plan for rapid deployment in industrial environments. 7. Train operational technology (OT) security teams to recognize signs of hosts file tampering and unusual network redirections. 8. Maintain comprehensive logging and alerting on device admin activities to facilitate forensic analysis and incident response.