CVE-2025-41656 is a critical security vulnerability identified in the Pilz IndustrialPI 4 device running Firmware Bullseye. The root cause of this vulnerability is the absence of authentication for the Node_RED server component, which is not configured by default. Node_RED is a flow-based development tool commonly used for wiring together hardware devices, APIs, and online services. In this context, the lack of authentication allows an unauthenticated remote attacker to connect directly to the Node_RED server and execute arbitrary commands with high privileges on the affected device. This means the attacker can fully compromise the device, potentially controlling industrial processes or manipulating safety-critical functions. The vulnerability is classified under CWE-306, indicating missing authentication for a critical function. The CVSS v3.1 base score is 10.0 (critical), reflecting the vulnerability's ease of exploitation (no authentication or user interaction required), network attack vector, and the complete compromise of confidentiality, integrity, and availability. No patches are currently available, and no known exploits have been reported in the wild yet. The affected version is indicated as '0', which likely means all current versions with Firmware Bullseye are vulnerable unless authentication is manually configured. Given the industrial nature of the device, this vulnerability poses a severe risk to operational technology (OT) environments where Pilz IndustrialPI 4 devices are deployed, potentially leading to disruption of industrial control systems, safety hazards, and significant operational downtime.

For European organizations, especially those in manufacturing, automation, and critical infrastructure sectors, this vulnerability represents a substantial threat. Pilz IndustrialPI 4 devices are used in industrial automation and safety applications, often integrated into production lines and safety systems. An attacker exploiting this vulnerability could gain full control over these devices remotely, leading to unauthorized command execution that may disrupt manufacturing processes, cause physical damage to equipment, or endanger personnel safety. The compromise of such devices could also lead to data breaches involving sensitive operational data or intellectual property. Given the criticality of industrial control systems in Europe’s manufacturing and energy sectors, exploitation could result in significant financial losses, regulatory penalties under frameworks like NIS2 and GDPR (if personal data or critical infrastructure is impacted), and reputational damage. The lack of authentication by default increases the risk of automated scanning and exploitation attempts, potentially by nation-state actors or cybercriminal groups targeting European industrial assets. The vulnerability’s critical severity underscores the urgency for European organizations to assess their exposure and implement mitigations promptly.

1. Immediate network segmentation: Isolate Pilz IndustrialPI 4 devices from general IT networks and restrict access to trusted management networks only. 2. Implement strict firewall rules: Block all inbound traffic to the Node_RED server ports from untrusted sources. 3. Configure authentication manually: Since authentication is not enabled by default, administrators must enable and enforce strong authentication mechanisms on the Node_RED server as soon as possible. 4. Monitor network traffic: Deploy intrusion detection/prevention systems (IDS/IPS) to detect anomalous access attempts to the Node_RED server. 5. Apply compensating controls: Use VPNs or secure tunnels for remote access to these devices to prevent direct exposure. 6. Vendor engagement: Maintain close contact with Pilz for updates and patches; prioritize patch deployment once available. 7. Conduct regular security audits and penetration testing focused on OT environments to identify similar misconfigurations. 8. Develop and rehearse incident response plans specific to OT device compromise scenarios to minimize impact if exploitation occurs.