RevPi Webstatus Vulnerability Allows Login Bypass

EXECUTIVE SUMMARY:

A critical authentication bypass vulnerability (CVE-2025-41646) has been discovered in the RevPi Webstatus application, allowing unauthenticated attackers to bypass login checks by exploiting a logic flaw in JSON parsing. By sending a simple request with a boolean value an attacker can gain unauthorized access to the web interface without a valid password. This flaw affects all versions up to and including v2.4.5, posing severe risks such as unauthorized configuration changes, surveillance, or denial-of-service in industrial automation systems. The vulnerability carries a CVSS base score of 9.8 .[emaillocker id="1283"]

• CVE-2025-31022: The vulnerability stems from improper type handling in the password verification process. When the JSON value true is passed in the hashcode parameter, the system incorrectly accepts it as valid authentication. This bypass occurs due to weak type coercion in the authentication logic, enabling attackers to exploit the flaw with minimal effort.

This vulnerability poses a high risk to industrial control systems where RevPi Webstatus is deployed. Unauthorized access could lead to configuration changes, data exposure, or disruption of critical processes.

RECOMMENDATION:

• We strongly recommend you update RevPi Webstatus to version 2.4.6 or later.

REFERENCES:

The following reports contain further technical details:

• https://securityonline.info/cve-2025-41646-critical-authentication-bypass-in-revpi-webstatus-threatens-industrial-systems/