Introduction
Node-RED, a powerful tool widely adopted in industrial automation and IoT ecosystems, faces a critical security threat. CVE-2025-41656 exposes default Node-RED installations to unauthenticated remote attackers, enabling them to execute arbitrary commands with elevated privileges. This vulnerability is particularly alarming for industrial control systems (ICS), where compromise could lead to catastrophic operational disruptions.
Technical Information
The core issue stems from Node-RED's default configuration, which does not enforce authentication (adminAuth
is undefined in settings.js
). This oversight allows attackers to directly access the Node-RED editor interface (typically exposed on TCP port 1880 or 41880), deploying malicious flows to execute arbitrary operating system commands.
Attackers exploit this vulnerability by injecting malicious flows containing exec
nodes. These nodes can execute system-level commands, such as spawning reverse shells or reading sensitive system files. A simple example of a malicious flow:
[{ "id": "cve-41656-poc", "type": "exec", "command": "bash", "z": "", "addpay": false, "append": "", "useSpawn": "false", "timer": "", "winHide": false, "oldrc": false, "name": "RCE", "x": 400, "y": 200, "wires": [[]] }]
Affected Node-RED versions include all releases up to and including 3.1.8. Industrial devices, notably KUNBUS Revolution Pi PLCs with firmware versions up to 01/2025, are particularly vulnerable due to their default configurations.
Affected Systems and Versions
- Node-RED versions ≤3.1.8
- KUNBUS Revolution Pi PLC firmware ≤01/2025
Default configurations without explicitly defined adminAuth
settings are vulnerable.
Vendor Security History
Node-RED has historically delayed critical security features, such as mandatory authentication, until version 4.0. The OpenJS Foundation, responsible for Node-RED, has faced criticism for prioritizing usability over security, resulting in vulnerabilities like CVE-2025-41656.
KUNBUS GmbH, associated with Revolution Pi PLCs, has encountered similar authentication bypass vulnerabilities, indicating a recurring security maturity issue.
References
- CERT VDE Advisory
- Pentest Partners Analysis
- Node-RED Security Documentation
- Node-RED GitHub Discussion
Source: This report was created using AI