CVE-2025-27532 is a medium-severity vulnerability identified in Bosch Rexroth AG's ctrlX OS - Device Admin, specifically affecting versions 1.12.0 through 1.20.0. The vulnerability stems from the 'Backup & Restore' functionality within the web application component of ctrlX OS. It allows a remote attacker with low-privileged authenticated access to retrieve sensitive information that is stored in cleartext. The vulnerability is categorized under CWE-312, which refers to the cleartext storage of sensitive information, indicating that secret data such as credentials, tokens, or configuration secrets are not properly encrypted or protected at rest. Exploitation requires the attacker to be authenticated with low privileges, but no user interaction is necessary beyond sending multiple crafted HTTP requests to the vulnerable web interface. The CVSS v3.1 base score is 6.5, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), no integrity impact (I:N), and no availability impact (A:N). There are no known exploits in the wild at this time, and no patches have been publicly linked yet. The vulnerability could allow an attacker to gain access to secret information that could facilitate further attacks or unauthorized access within industrial control environments that use ctrlX OS devices. Given ctrlX OS is an industrial automation platform widely used in manufacturing and industrial control systems, this vulnerability poses a risk to the confidentiality of sensitive operational data and credentials within such environments.

For European organizations, particularly those in manufacturing, industrial automation, and critical infrastructure sectors, this vulnerability could lead to unauthorized disclosure of sensitive information such as device credentials, configuration secrets, or backup data. This exposure could enable attackers to escalate privileges, move laterally within networks, or disrupt industrial processes indirectly by compromising device integrity through subsequent attacks. The confidentiality breach could undermine trust in operational technology (OT) environments and potentially lead to intellectual property theft or sabotage. Since ctrlX OS is deployed in various industrial settings across Europe, organizations relying on Bosch Rexroth automation solutions may face increased risk of targeted attacks exploiting this vulnerability. The lack of impact on integrity and availability reduces the immediate risk of operational disruption, but the confidentiality compromise can be a stepping stone for more severe attacks. The requirement for low-privileged authentication limits exposure to some extent but does not eliminate risk, especially in environments where user credentials may be weak, reused, or compromised. The absence of known exploits in the wild suggests that proactive mitigation is critical to prevent future exploitation.

1. Implement strict access controls and network segmentation to limit access to the ctrlX OS Device Admin web interface, ensuring only trusted and necessary personnel can authenticate. 2. Enforce strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of credential compromise for low-privileged accounts. 3. Monitor and audit access logs to detect unusual or repeated HTTP requests targeting the Backup & Restore functionality, which may indicate exploitation attempts. 4. Until official patches are released, consider disabling or restricting the Backup & Restore functionality if operationally feasible, or isolate the device management network segment from broader enterprise networks. 5. Review and secure storage of sensitive information on devices by applying encryption at rest where possible, and follow Bosch Rexroth’s security advisories for updates. 6. Conduct regular vulnerability assessments and penetration testing focusing on OT environments to identify and remediate similar weaknesses. 7. Train operational staff on secure credential management and recognizing potential attack vectors targeting industrial control systems. These steps go beyond generic advice by focusing on operational technology-specific controls, network segmentation, and proactive monitoring tailored to the nature of the vulnerability and the affected product.