CVE-2025-24351 is an OS command injection vulnerability classified under CWE-78, found in the Remote Logging functionality of the ctrlX OS - Device Admin web application developed by Bosch Rexroth AG. The vulnerability arises from improper neutralization of special elements in user-supplied input that is passed to OS commands. An attacker with low-privileged authenticated access can send specially crafted HTTP requests that inject arbitrary commands executed with root privileges on the underlying operating system. The vulnerability affects ctrlX OS versions 1.20.0 and 2.6.0. The CVSS v3.1 base score is 8.8, indicating high severity, with attack vector being network (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The flaw allows full system compromise, potentially enabling attackers to manipulate industrial control systems, disrupt operations, or exfiltrate sensitive data. No public exploits have been reported yet, but the vulnerability is CISA-enriched and published, indicating awareness and potential for future exploitation. The root cause is insufficient input validation or sanitization in the Remote Logging feature, which processes user input insecurely when constructing OS commands. This vulnerability is critical in industrial environments where ctrlX OS is deployed for device administration and automation control.

The impact of CVE-2025-24351 is severe for organizations using Bosch Rexroth's ctrlX OS in industrial automation and control systems. Exploitation allows attackers to execute arbitrary commands as root, leading to complete system takeover. This can result in unauthorized data access, manipulation or destruction of critical control logic, disruption of industrial processes, and potential safety hazards. The compromise of industrial devices can cascade to broader operational technology (OT) networks, causing widespread downtime and financial losses. Given the root-level access, attackers could install persistent malware, create backdoors, or pivot to other network segments. The vulnerability threatens confidentiality, integrity, and availability of affected systems, undermining trust in industrial automation infrastructure. Organizations may face regulatory and compliance repercussions if safety or data integrity is compromised. The lack of known exploits currently provides a window for proactive mitigation, but the network-exploitable nature and low privilege requirement increase the urgency of response.

To mitigate CVE-2025-24351, organizations should immediately identify and upgrade affected ctrlX OS versions to patched releases once available from Bosch Rexroth. Until patches are released, restrict access to the Device Admin web interface by implementing network segmentation and firewall rules limiting access to trusted administrators only. Enforce strong authentication mechanisms and monitor for unusual login or command execution activity. Disable or restrict the Remote Logging functionality if not essential. Employ application-layer firewalls or intrusion detection systems to detect and block suspicious HTTP requests targeting the vulnerable endpoint. Conduct thorough input validation and sanitization on all user inputs in custom integrations or scripts interacting with ctrlX OS. Regularly audit and review system logs for signs of exploitation attempts. Coordinate with Bosch Rexroth support for guidance and updates. Finally, integrate this vulnerability into industrial cybersecurity risk management and incident response plans to ensure rapid detection and containment.