The Bosch Rexroth ctrlX CORE is a widely adopted platform in industrial automation. Valued for its open architecture and seamless integration with modern manufacturing and IoT systems, it is deployed across diverse Industry 4.0 use cases, such as assembly lines, energy distribution, robotics, and other smart factory operations.
In this blog, Nozomi Networks Labs uncovers 15 zero-day vulnerabilities affecting the Bosch Rexroth ctrlX CORE, that could have exposed industrial environments to important risks. The most severe of these flaws, such as CVE-2025-24351 (CVSS 8.8) and CVE-2025-24346 (CVSS 7.5), enable attackers to even execute arbitrary commands with the highest privilege, potentially leading to operational disruptions, extraction of sensitive data, or lateral movements to further compromise the OT network. While some of these flaws require low privileges or user interaction, others can be exploited remotely with no preconditions, presenting a significant security challenge.
Upon reporting the vulnerabilities to Bosch Rexroth, the vendor promptly developed and released patches to correct them. The official advisory BOSCH-SA-640452 is also available in the Bosch Rexroth Security Advisories page. As part of our ongoing commitment to Nozomi Networks customers, our Threat Intelligence service has been enhanced with new methods to detect these vulnerabilities across devices.
This article begins with a brief overview of the ctrlX CORE platform, examines the impact of the discovered vulnerabilities, analyzes the most dangerous ones in detail, and concludes with recommendations for mitigating these security risks.
リサーチ範囲
ctrlX CORE is a highly flexible and scalable control platform developed by Bosch Rexroth, designed to meet the ever-evolving demands of industrial automation. One of the standout features of ctrlX CORE is its open architecture, which supports both traditional as well as modern industrial and IoT technologies. Built on a Linux-based operating system, it allows users to run a wide range of apps and software from different vendors, or even develop custom applications on their own.
A key component of ctrlX CORE is its web-based application, a ubiquitous component in today's PLC systems. This interface offers users a comprehensive suite of tools to supervise and manage their Bosch Rexroth devices remotely from a centralized platform, offering real-time access to operational status, performance metrics, diagnostics, and many other features.
これらの脆弱性の影響
The 15 vulnerabilities identified in the Bosch Rexroth ctrlX CORE could have presented substantial security implications for industrial environments. Below are some examples of the potential attack scenarios that could have arisen from their exploitation:
- Operational Disruptions: Several of the identified vulnerabilities could affect device availability, rendering it inaccessible from remote locations or even completely inoperable at critical moments. An attacker could exploit these flaws to trigger system slowdowns, unexpected shutdowns, or loss of control over automation processes—potentially leading to production delays, operational disruptions, and increased maintenance costs.
- Extraction of Sensitive Industrial Data: Some of the discovered vulnerabilities could have enabled attackers to access sensitive data, such as proprietary process parameters or user credentials. This information could be exploited for industrial espionage—providing malicious actors with insight into confidential manufacturing techniques—or used in credential stuffing attacks, where stolen username-password pairs are tested across other systems to gain unauthorized access.
- Lateral Movement to Compromise the OT Network: Since the ctrlX CORE is essentially a Linux-based system on ARM or x86 architecture, compromising it could give attackers a full-fledged beachhead into the OT network, where security often relies on the risky assumption that all nodes are trustworthy. They could exploit this access to launch Man-in-the-Middle (MitM) attacks on unsecured industrial protocols, or target known vulnerabilities on SCADA systems, enabling lateral movement and deeper network compromise.
As highlighted in the introduction, while some vulnerabilities require low privileges or user interaction to exploit, others can be remotely leveraged with no preconditions. More critically, certain flaws can be chained together, potentially enabling exploitation of low-privilege vulnerabilities by an attacker with no initial authentication. These attack chains amplify the risk of the individual vulnerabilities, making remediation efforts even more urgent. More details are available in the “Vulnerability Spotlight” section.
脆弱性リストと影響を受けるバージョン
The following table lists the 15 vulnerabilities found, ordered by CVSS v3.1 base score.
The vulnerabilities affect the following components of ctrlX CORE:
- ctrlX OS - Device Admin
- CVE-2025-24339, CVE-2025-24340, CVE-2025-24341, CVE-2025-24342, CVE-2025-24346, CVE-2025-24347, CVE-2025-24348, CVE-2025-24349, CVE-2025-24350
- Version(s): 1.12.0 - 1.12.9 (including)
- Version(s): 1.20.0 - 1.20.7 (including)
- Version(s): 2.6.0 - 2.6.7 (including)
- CVE-2025-24345, CVE-2025-24351
- Version(s): 1.20.0 - 1.20.7 (including)
- Version(s): 2.6.0 - 2.6.7 (including)
- CVE-2025-27532
- Version(s): 1.12.0 - 1.12.9 (including)
- Version(s): 1.20.0 - 1.20.7 (including)
- CVE-2025-24339, CVE-2025-24340, CVE-2025-24341, CVE-2025-24342, CVE-2025-24346, CVE-2025-24347, CVE-2025-24348, CVE-2025-24349, CVE-2025-24350
- ctrlX OS - Solutions
- CVE-2025-24338, CVE-2025-24343, CVE-2025-24344
- Version(s): 1.12.0 - 1.12.1 (including)
- Version(s): 1.20.0 - 1.20.1 (including)
- Version(s): 2.6.0 - 2.6.0 (including)
- CVE-2025-24338, CVE-2025-24343, CVE-2025-24344
脆弱性スポットライト
Of the 15 identified vulnerabilities, the majority requires some kind of authentication credentials to be exploited, but three of them can be exploited by unauthenticated attackers.
One of these, CVE-2025-24342, is a Username Enumeration vulnerability, i.e., a vulnerability that allows unauthenticated attackers to identify valid usernames and thus greatly reduce the effort required for a successful brute-force.
Username enumeration flaws typically rely on response discrepancies, such as different error messages depending on the validity of the supplied username. CVE-2025-24342, instead, is a time-based Username Enumeration vulnerability: despite returning the same response, the login function is still vulnerable because it terminates immediately for non-existent usernames, whereas continues with the password checking for valid ones.
Normally, this delay is minimal and indistinguishable from normal network noise. However, by supplying a very long password (the web application accepted login attempts with passwords of up to 256 characters), an attacker can significantly increase the hash computation time in the password checking phase, making the response time difference measurable and the attack viable.
Figure 2 portrays the results of a proof-of-concept attack, where “boschrexroth”, “user1”, “admin1”, and “user2” – the valid usernames – have led to a meaningful delay in the response when logins are attempted with long passwords. Since the web application does not have anti-brute-force measures enabled by default, this provides an initial method for an attacker to gain some level of access to ctrlX CORE.
Once access to the device is obtained, the vulnerabilities available to an attacker for further exploitation depend on the privilege level of the compromised account.
The most severe scenario occurs when an attacker acquires access to an account with the privileges to manage the “Remote Logging” functionality. In such a situation, they may exploit CVE-2025-24351, an OS command injection vulnerability with root privileges due to improperly validated input that is eventually included in a shell command. Figure 3 shows an excerpt from a strace session while injecting the Linux command “id”. Exploiting this vulnerability results in full device compromise, enabling all attack scenarios outlined in the section “What Are the Impacts of These Vulnerabilities?”.
Similar consequences can occur if an attacker gains access to the “Proxy” functionality. In this case, they may exploit CVE-2025-24346, which stems from the improper validation of an input parameter enabling the injection of newline characters. This vulnerability can ultimately be used to insert new entries into “/etc/environment”, allowing the attacker to redefine sensitive environment variables (e.g., “PATH”, as demonstrated in Figure 4) or introduce new ones to manipulate the behavior of specific binaries. While exploitation may be less straightforward compared to CVE-2025-24351, it can lead to similarly severe outcomes.
Finally, even when no privileges are obtained to leverage more impactful vulnerabilities, an attacker can still exploit CVE-2025-24341. This is an “Allocation of Resources Without Limits or Throttling” CWE that arises because the web application, for monitoring purposes, saves the value of each HTTP User-Agent header involved in authenticated sessions without enforcing a maximum length limit. As the values are stored in the memory of one of ctrlX OS’s main processes, by sending a large amount of login requests each containing an exceptionally long User-Agent header, an attacker can lead to the exhaustion of the device RAM.
Once the RAM is close to be fully exhausted, the device becomes extremely slow and unable to process further requests or interactions (Figure 5). In the tests done in the lab, this condition was achieved in about 5 minutes of attack. Additionally, even after stopping the excessive login requests, the device does not recover on its own, forcing an asset owner to power cycle it to reobtain control.
修復
After the vulnerabilities were reported to Bosch Rexroth, the vendor responded immediately by developing and releasing patches, now available through the official ctrlX CORE update channels. In addition, the security advisory BOSCH-SA-640452 has been published on the Bosch Rexroth Security Advisories page. Organizations leveraging the Bosch Rexroth ctrlX CORE platform for automation are strongly advised to update the affected components without delay to reduce the risk of potential exploitation.
If applying the patches is not feasible for any reason, Nozomi Networks Labs recommends the following mitigations to help secure existing installations:
- To mitigate the risk of exploitation of the unauthenticated vulnerabilities, asset owners should restrict and closely monitor the network access to the device’s management web application, ensuring that only trusted users can connect. Furthermore, it is strongly recommended to disable access to the unencrypted HTTP port (port 80) and permit connections exclusively over HTTPS (port 443).
- To address the risk posed by authenticated vulnerabilities, organizations should perform a comprehensive audit of all user accounts with access to the ctrlX CORE web application. Particular attention should be given to accounts with access to the following functionalities: Backup & Restore, Certificates and Keys, Hosts, Network Interfaces, Proxy, Remote Logging, and Manages App Data. Any unnecessary or unused accounts should be promptly removed to reduce the potential attack surface.
- To further mitigate the risk posed by authenticated vulnerabilities, asset owners should regularly audit the configuration and contents of these functionalities: Network Interfaces, Proxy, Remote Logging, and Manages App Data. These reviews should verify that all settings conform to expected operational parameters and that no unauthorized modifications or suspicious files are present.
