CVE-2025-26409

Feb. 18, 2025, 6:15 p.m.

None
No Score

Description

A serial interface can be accessed with physical access to the PCB of Wattsense Bridge devices. After connecting to the interface, access to the bootloader is possible, as well as a Linux login prompt. The bootloader access can be used to gain a root shell on the device. This issue is fixed in recent firmware versions BSP >= 6.4.1.

Product(s) Impacted

Product Versions
Wattsense Bridge
  • >= 6.4.1

Weaknesses

CWE-1191
On-Chip Debug and Test Interface With Improper Access Control
The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface.
CWE-1299
Missing Protection Mechanism for Alternate Hardware Interface
The lack of protections on alternate paths to access control-protected assets (such as unprotected shadow registers and other external facing unguarded interfaces) allows an attacker to bypass existing protections to the asset that are only performed against the primary path.

References

https://r.sec-consult.com/wattsense
https://support.wattsense.com/hc/en-150/articles/13366066529437-Release-Notes

Tags

551230f0-3615-47bd-b7cc-93e92e730bbf
CWE-1299
CWE-1191
2025-02-11
CVE-2025-26409

Date

  • Published: Feb. 11, 2025, 10:15 a.m.
  • Last Modified: Feb. 18, 2025, 6:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

551230f0-3615-47bd-b7cc-93e92e730bbf

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.