CVE-2025-41663 is a critical OS command injection vulnerability (CWE-78) affecting the Weidmueller IE-SR-2TX-WL product, specifically its u-link Management API. The vulnerability arises because the API improperly neutralizes special elements in responses returned by WWH servers. An unauthenticated remote attacker positioned as a man-in-the-middle (MitM) can exploit this flaw by injecting arbitrary OS commands into these responses. These injected commands are then executed with elevated privileges on the affected device. Exploitation requires the client to be using insecure proxy configurations that allow interception and modification of the communication between the client and the WWH servers. The vulnerability has a CVSS v3.1 base score of 9.8, indicating critical severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability was reserved in April 2025 and published in June 2025. This flaw allows an attacker to execute arbitrary commands remotely without authentication, leveraging insecure proxy setups to intercept and manipulate traffic, which can lead to full system compromise and potentially lateral movement within industrial or network environments using the affected device.

For European organizations, especially those in industrial automation, manufacturing, or critical infrastructure sectors using Weidmueller IE-SR-2TX-WL devices, this vulnerability poses a severe risk. Successful exploitation can lead to complete compromise of affected devices, resulting in unauthorized control, data exfiltration, disruption of operations, or sabotage. The elevated privileges granted to injected commands amplify the potential damage, including persistent backdoors or destruction of system integrity. Given the device’s role in network management or industrial control, disruption could cascade to operational technology (OT) environments, impacting production lines or critical services. The requirement for insecure proxy configurations means organizations with lax network security or misconfigured proxies are at higher risk. Additionally, the lack of authentication for exploitation increases the attack surface. The critical CVSS score reflects the high likelihood of severe operational and security impacts, making it imperative for European organizations to assess their exposure and implement mitigations promptly.

1. Immediately audit and secure all proxy configurations to eliminate insecure setups that allow man-in-the-middle interception. This includes enforcing strict proxy authentication, using trusted proxy servers, and disabling any transparent or unauthenticated proxies. 2. Implement network segmentation to isolate Weidmueller IE-SR-2TX-WL devices from general IT networks and restrict access to management interfaces only to trusted hosts. 3. Employ encrypted communication channels (e.g., TLS) with certificate validation between clients and WWH servers to prevent interception and manipulation of traffic. 4. Monitor network traffic for unusual patterns indicative of MitM attacks or command injection attempts, using intrusion detection systems tailored for industrial protocols. 5. Engage with Weidmueller for patches or firmware updates addressing this vulnerability as soon as they become available and apply them promptly. 6. Conduct regular security training for network administrators to recognize and remediate insecure proxy configurations and MitM risks. 7. Consider deploying endpoint protection solutions capable of detecting anomalous command executions on affected devices. These steps go beyond generic advice by focusing on the specific exploitation vector (insecure proxies) and the operational context of the affected product.