CVE-2025-41690

Summary

A low-privileged attacker in bluetooth range may be able to access the password of a higher-privilege user (Maintenance) by viewing the device’s event log. This vulnerability could allow the Operator to authenticate as the Maintenance user, thereby gaining unauthorized access to sensitive configuration settings and the ability to modify device parameters.

Affected Software

VendorProductVersion RangeStatus
Endress+HauserPromag 10 with HART0 < 01.00.06affected
Endress+HauserPromag 10 with IO-Link0 < 01.00.02affected
Endress+HauserPromag 10 with Modbus0 < 01.00.06affected
Endress+HauserPromass 10 with HART0 < 01.00.06affected
Endress+HauserPromass 10 with IO-Link0 < 01.00.02affected
Endress+HauserPromass 10 with Modbus0 < 01.00.06affected

Weaknesses

  • CWE-532: CWE-532 Insertion of Sensitive Information into Log File

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References