CVE-2025-24351 is a high-severity OS command injection vulnerability identified in the Remote Logging functionality of the web application component of Bosch Rexroth AG's ctrlX OS - Device Admin. This vulnerability arises due to improper neutralization of special elements used in OS commands (CWE-78), allowing a remote attacker with low-privileged authenticated access to execute arbitrary operating system commands with root-level privileges. The vulnerability affects ctrlX OS versions 1.20.0 and 2.6.0. Exploitation requires no user interaction beyond authentication, and the attack vector is network-based (remote). The attacker crafts a specially formed HTTP request that leverages the inadequate input sanitization in the Remote Logging feature to inject OS commands. Successful exploitation compromises confidentiality, integrity, and availability of the affected system, as the attacker gains root-level command execution capabilities. The CVSS v3.1 base score is 8.8, reflecting the high impact and relatively low attack complexity (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). No known exploits are currently reported in the wild, but the vulnerability's nature and impact make it a critical concern for industrial control systems and automation environments using ctrlX OS. Bosch Rexroth AG is a prominent supplier of industrial automation and control solutions, and ctrlX OS is a real-time operating system designed for industrial devices, making this vulnerability particularly relevant to operational technology (OT) environments.

For European organizations, especially those operating in industrial automation, manufacturing, and critical infrastructure sectors, this vulnerability poses a significant risk. Exploitation could lead to full system compromise of devices running ctrlX OS, enabling attackers to disrupt industrial processes, manipulate control logic, exfiltrate sensitive operational data, or cause denial of service. Given the root-level access gained, attackers could pivot within OT networks, potentially affecting broader production environments and supply chains. The impact extends to safety-critical systems where unauthorized command execution might cause physical damage or safety hazards. The confidentiality breach risks exposing proprietary manufacturing data or intellectual property. Integrity violations could result in altered control commands, leading to faulty operations. Availability impacts could halt production lines or critical infrastructure services, causing financial losses and reputational damage. The vulnerability's presence in a widely used industrial OS in Europe amplifies the threat, especially as many European countries have strong manufacturing and industrial sectors relying on Bosch Rexroth solutions.

1. Immediate patching: Although no official patches are listed yet, organizations should monitor Bosch Rexroth advisories closely and apply updates as soon as they become available. 2. Restrict access: Limit access to the ctrlX OS Device Admin web interface to trusted networks only, using network segmentation and firewall rules to reduce exposure. 3. Enforce strong authentication: Since exploitation requires authentication, implement multi-factor authentication (MFA) and enforce strong password policies to reduce the risk of credential compromise. 4. Monitor and audit: Enable detailed logging and continuous monitoring of Remote Logging activities and web interface access to detect anomalous or suspicious commands or requests. 5. Use application-layer filtering: Deploy web application firewalls (WAFs) or intrusion prevention systems (IPS) with custom rules to detect and block command injection patterns targeting the Remote Logging feature. 6. Limit privileges: Where possible, run the Device Admin service with the least privileges necessary to reduce the impact of potential exploitation. 7. Incident response readiness: Prepare and test incident response plans specific to OT environments to quickly contain and remediate any exploitation attempts. 8. Vendor engagement: Engage with Bosch Rexroth support for guidance and early access to patches or mitigations.