CVE-2025-41690 is a vulnerability identified in the Endress+Hauser Promag 10 flow meter with HART communication protocol. The issue is classified under CWE-532, which involves the insertion of sensitive information into log files. Specifically, a low-privileged attacker within Bluetooth range can access the device's event log, which improperly stores the password of a higher-privilege user role (Maintenance). By extracting this password, the attacker, who may initially have only Operator-level privileges, can escalate their access to the Maintenance user level. This escalation enables unauthorized access to sensitive configuration settings and the ability to modify critical device parameters. The vulnerability has a CVSS 3.1 score of 7.4, indicating a high severity level. The attack vector is adjacent network (Bluetooth), requiring low attack complexity and low privileges but some user interaction. The scope remains unchanged, but the impact on confidentiality, integrity, and availability is high, as unauthorized users can both read sensitive data and alter device configurations. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability poses a significant risk to industrial control systems relying on Promag 10 devices, especially in environments where Bluetooth access is not tightly controlled or monitored.

For European organizations, particularly those in industrial sectors such as water management, chemical processing, and manufacturing that utilize Endress+Hauser Promag 10 flow meters, this vulnerability could lead to severe operational disruptions. Unauthorized modification of device parameters could result in inaccurate flow measurements, process inefficiencies, or even safety hazards. The confidentiality breach of privileged credentials could facilitate further lateral movement within industrial control networks, potentially compromising broader operational technology (OT) environments. Given the reliance on these devices for critical infrastructure monitoring and control, exploitation could lead to regulatory non-compliance, financial losses, and damage to reputation. The Bluetooth attack vector increases risk in facilities where physical security is limited or where Bluetooth is enabled without strict access controls. Additionally, the need for user interaction (UI:R) suggests some social engineering or user involvement may be required, but the low privilege requirement and proximity-based attack vector make this vulnerability particularly concerning in shared or accessible industrial environments.

1. Immediate mitigation should focus on restricting Bluetooth access to the Promag 10 devices. This includes disabling Bluetooth if not required or implementing strict Bluetooth pairing and authentication policies. 2. Regularly audit and monitor event logs for unauthorized access attempts or suspicious activity, ensuring that sensitive information is not exposed in logs. 3. Segregate the network segments where Promag 10 devices operate, limiting access to trusted personnel and systems only. 4. Implement role-based access controls (RBAC) and enforce the principle of least privilege to minimize the number of users with Maintenance-level access. 5. Educate operators and maintenance personnel about the risks of social engineering and the importance of safeguarding credentials. 6. Coordinate with Endress+Hauser for timely patching once a fix is released; meanwhile, consider compensating controls such as enhanced physical security around devices. 7. Employ intrusion detection systems capable of monitoring Bluetooth traffic anomalies in industrial environments. 8. Review and sanitize logging configurations to ensure sensitive information like passwords is never recorded in logs.