CVE-2025-36558: KUNBUS Revolution Pi Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
First published: Thu May 01 2025(Updated: )
KUNBUS PiCtory version 2.11.1 and earlier are vulnerable to a cross-site-scripting attack via the sso_token used for authentication. If an attacker provides the user with a PiCtory URL containing an HTML script as an sso_token, that script will reply to the user and be executed.
Credit: ics-cert@hq.dhs.gov
| Affected Software | Affected Version | How to fix |
|---|---|---|
| : KUNBUS CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Transportation Systems, Water and Wastewater Systems | ||
| : KUNBUS COUNTRIES/AREAS DEPLOYED: Worldwide | ||
| : KUNBUS COMPANY HEADQUARTERS LOCATION: Germany |
Remedy
KUNBUS has identified the following specific mitigations that users can apply to reduce risk: * Update PiCtory package to version 2.12 The preferred method for updating to version 2.12 is accomplished through KUNBUS's management UI Cockpit. However, users can also download the update package here http://packages.revolutionpi.de/pool/main/p/pictory/ . By end of April 2025, KUNBUS plans to release a new Cockpit plugin that helps the user to make configurations which are available in a graphical interface. In the meantime, it is recommended that users activate authentication. Please refer to this guide https://www.kunbus.com/files/media/misc/kunbus-2025-0000002-remediation.pdf for help with activating authentication.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2025-36558?
CVE-2025-36558 is considered a critical vulnerability due to the potential for cross-site scripting attacks affecting authentication.
How do I fix CVE-2025-36558?
To fix CVE-2025-36558, upgrade to KUNBUS PiCtory version 2.11.2 or later which contains the necessary security patches.
What type of attack is associated with CVE-2025-36558?
CVE-2025-36558 is associated with a cross-site scripting (XSS) attack via a malicious sso_token in PiCtory URLs.
Who is affected by CVE-2025-36558?
CVE-2025-36558 affects users utilizing KUNBUS PiCtory versions 2.11.1 and earlier across critical infrastructure sectors.
Where can I find more information about CVE-2025-36558?
Further information on CVE-2025-36558 can be found in official advisories from CISA and MITRE.
- agent/weakness
- agent/type
- collector/ics-cert-advisory
- source/ICS
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/remedy
- agent/references
- agent/description
- agent/first-publish-date
- agent/author
- agent/severity
- agent/event
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- collector/epss-latest
- source/FIRST
- agent/source
- agent/tags
- agent/epss
- vendor/: kunbus
- canonical/: kunbus critical infrastructure sectors: critical manufacturing, energy, transportation systems, water and wastewater systems
- canonical/: kunbus countries/areas deployed: worldwide
- canonical/: kunbus company headquarters location: germany