CVE-2025-41712 is a vulnerability identified in the Janitza UMG 96RM-E 24V(5222063) energy monitoring device, classified under CWE-732, which relates to incorrect permission assignment for critical resources. The root cause is that the device’s embedded web server improperly assigns permissions, allowing an unauthenticated remote attacker to exploit this by tricking a legitimate user into uploading a maliciously crafted HTML file. This file can then be used to gain unauthorized access to sensitive information stored or accessible via the device. The attack vector requires no prior authentication but does require user interaction, specifically the user uploading the manipulated file. The vulnerability affects confidentiality but does not compromise data integrity or availability. The CVSS 3.1 score of 6.5 reflects a medium severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), high confidentiality impact (C:H), and no impact on integrity or availability (I:N/A:N). No patches or known exploits have been reported as of the publication date. The vulnerability highlights a critical security design flaw in permission management on the device’s web server, which could be leveraged in targeted attacks against energy management infrastructure.

The primary impact of CVE-2025-41712 is unauthorized disclosure of sensitive information from the Janitza UMG 96RM-E 24V device. This could include operational data, configuration details, or other critical information that could aid further attacks or industrial espionage. Since the device is used in energy monitoring and management, exposure of such data could compromise operational security and privacy. Although the vulnerability does not allow modification or disruption of device functions, the leakage of sensitive data can undermine trust and potentially facilitate subsequent attacks on industrial control systems or energy infrastructure. Organizations relying on these devices in critical infrastructure sectors such as utilities, manufacturing, and energy distribution are at risk of information leakage that could have cascading effects on operational security. The requirement for user interaction limits mass exploitation but targeted spear-phishing or social engineering campaigns could be effective. The lack of authentication requirement for the attacker increases the risk profile, especially in environments where device access is not tightly controlled.

To mitigate CVE-2025-41712, organizations should implement strict access controls on the Janitza UMG 96RM-E 24V web interface, limiting user permissions and restricting upload capabilities to trusted personnel only. User training to recognize and avoid uploading untrusted or manipulated files is critical to prevent social engineering exploitation. Network segmentation should isolate the device from general user networks to reduce exposure to unauthenticated attackers. Monitoring and logging of file upload activities on the device can help detect suspicious behavior early. Until an official patch is released, consider disabling or restricting the web server’s file upload functionality if possible. Employ web application firewalls or intrusion detection systems to detect and block malicious payloads targeting the device’s web interface. Regularly check for firmware updates from Janitza and apply them promptly once available. Additionally, conduct security audits of device configurations to ensure permissions are appropriately assigned and no unnecessary services are exposed.