CVE-2025-48861 is a medium-severity vulnerability identified in the ctrlX OS - Setup component developed by Bosch Rexroth AG. The vulnerability stems from improper access control (CWE-284) in the Task API endpoint of the setup mechanism. Specifically, this flaw allows a remote attacker to access the API without any authentication or user interaction, enabling them to retrieve internal application data. The exposed data may include debug logs and version information of installed applications. These details, while not directly compromising system integrity or availability, could provide valuable intelligence to an attacker for further exploitation or reconnaissance. The affected versions are 1.20.0, 2.6.0, and 3.6.0 of the ctrlX OS - Setup. The CVSS v3.1 base score is 5.3, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The scope is unchanged, and the impact is limited to confidentiality, with no direct impact on integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was publicly disclosed on August 14, 2025, with the initial reservation date in May 2025.

For European organizations, especially those in industrial automation and manufacturing sectors using Bosch Rexroth's ctrlX OS platform, this vulnerability poses a risk of information leakage. The ctrlX OS is used in industrial control systems (ICS) and automation environments, where exposure of debug logs and version information can aid attackers in crafting targeted attacks or identifying further vulnerabilities. Although the vulnerability does not allow direct system control or disruption, the leaked information could facilitate lateral movement or privilege escalation attempts. This is particularly critical for organizations operating critical infrastructure or manufacturing plants, where operational continuity and data confidentiality are paramount. The lack of authentication and user interaction requirements increases the risk of automated scanning and exploitation attempts, potentially leading to broader reconnaissance campaigns against European industrial networks.

Organizations should immediately audit their deployments of Bosch Rexroth ctrlX OS - Setup to identify affected versions (1.20.0, 2.6.0, 3.6.0). Until official patches are released, network-level mitigations should be implemented, such as restricting access to the Task API endpoint via firewall rules or network segmentation, limiting exposure to trusted management networks only. Monitoring and logging access to the Task API endpoint should be enhanced to detect anomalous or unauthorized requests. Additionally, organizations should engage with Bosch Rexroth support channels to obtain patches or updates as soon as they become available. Implementing strict access control policies and ensuring that setup interfaces are not exposed to untrusted networks will reduce the attack surface. Finally, conducting internal penetration testing focused on this endpoint can help validate the effectiveness of mitigations.