CVE-2025-41728

Summary

A low privileged remote attacker may be able to disclose confidential information from the memory of a privileged process by sending specially crafted calls to the Device Manager web service that cause an out-of-bounds read operation under certain circumstances due to ASLR and thereby potentially copy confidential information into a response.

Affected Software

VendorProductVersion RangeStatus
Beckhoff AutomationBeckhoff.Device.Manager.XAR0.0.0 < 2.5.3affected
Beckhoff AutomationMDP software package for TwinCAT/BSD0.0.0 < 1.7.0.0affected
Beckhoff AutomationMDP for Beckhoff RT Linux(R)0.0.0 < 0.0.5affected

Weaknesses

  • CWE-125: CWE-125 Out-of-bounds Read

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References