How ZeroPath Works
Back to Blog

Node-RED Under Siege: Unauthenticated Remote Command Execution (CVE-2025-41656)

CVE-2025-41656 exposes Node-RED installations to critical unauthenticated remote command execution, posing severe risks to industrial and IoT environments.
CVE Analysis

8 min read

ZeroPath Security Research

ZeroPath Security Research

2025-07-01

Node-RED Under Siege: Unauthenticated Remote Command Execution (CVE-2025-41656)

Introduction

Node-RED, a powerful tool widely adopted in industrial automation and IoT ecosystems, faces a critical security threat. CVE-2025-41656 exposes default Node-RED installations to unauthenticated remote attackers, enabling them to execute arbitrary commands with elevated privileges. This vulnerability is particularly alarming for industrial control systems (ICS), where compromise could lead to catastrophic operational disruptions.

Technical Information

The core issue stems from Node-RED's default configuration, which does not enforce authentication (adminAuth is undefined in settings.js). This oversight allows attackers to directly access the Node-RED editor interface (typically exposed on TCP port 1880 or 41880), deploying malicious flows to execute arbitrary operating system commands.

Attackers exploit this vulnerability by injecting malicious flows containing exec nodes. These nodes can execute system-level commands, such as spawning reverse shells or reading sensitive system files. A simple example of a malicious flow:

[{
  "id": "cve-41656-poc",
  "type": "exec",
  "command": "bash",
  "z": "",
  "addpay": false,
  "append": "",
  "useSpawn": "false",
  "timer": "",
  "winHide": false,
  "oldrc": false,
  "name": "RCE",
  "x": 400,
  "y": 200,
  "wires": [[]]
}]

Affected Node-RED versions include all releases up to and including 3.1.8. Industrial devices, notably KUNBUS Revolution Pi PLCs with firmware versions up to 01/2025, are particularly vulnerable due to their default configurations.

Affected Systems and Versions

  • Node-RED versions ≤3.1.8
  • KUNBUS Revolution Pi PLC firmware ≤01/2025

Default configurations without explicitly defined adminAuth settings are vulnerable.

Vendor Security History

Node-RED has historically delayed critical security features, such as mandatory authentication, until version 4.0. The OpenJS Foundation, responsible for Node-RED, has faced criticism for prioritizing usability over security, resulting in vulnerabilities like CVE-2025-41656.

KUNBUS GmbH, associated with Revolution Pi PLCs, has encountered similar authentication bypass vulnerabilities, indicating a recurring security maturity issue.

References

Source: This report was created using AI

Detect & fix
what others miss

Get startedBook a demo