Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Multiple Vulnerabilities in SAUTER modulo Devices, Patch Immediately!
Image
Published : 22/10/2025
- Last update: 22/10/2025
- Affected software:
→ Firmware EY-modulo 5 embedded software <v6.0
→ Firmware modulo 6 embedded software <v3.2.0- Type:
→ Path traversal
→ Improper Validation of Syntactic Correctness of Input
→ Failure to Handle Incomplete Element
→ Use of Hard-coded Credentials
→ Reliance on File Name or Extension of Externally Supplied File
→ Improper Neutralization of Special Elements used in a Command ('Command Injection')- CVE/CVSS
→ CVE-2025-41723 CVSS: 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
→ CVE-2025-41719 CVSS: 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
→ CVE-2025-41724 CVSS: 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
→ CVE-2025-41722 CVSS: 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
→ CVE-2025-41720 CVSS: 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
→ CVE-2025-41721 CVSS: 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Sources
VDE CERT - https://certvde.com/en/advisories/VDE-2025-060/
Risks
SAUTER Modulo controllers are used for building automation systems, monitoring, and controlling building’s mechanical and electrical systems. An adversary with network access to these devices could leverage the vulnerabilities to gain elevated privileges, run arbitrary commands on the device and thus compromise the integrity, availability, and confidentiality of these systems.
The consequences of such a compromise could affect the connected physical systems and impact the safety, reliability, and productivity of the environment.
Description
The components affected by the vulnerabilities are the embedded web server and the SAUTER CASE Suite tools interface. Multiple oversights in design of the software allow adversaries to exploit it using multiple vectors:
- The importFile SOAP method can be exploited to upload files to arbitrary locations in a directory by providing a path parameter that is outside the intended directory.
- Send a specific packet containing unsupported characters causing the system to delete the user’s data and reset the administrator account password to the known default.
- Sending incomplete SOAP messages, an unauthenticated attacker could crash the server, requiring a manual reboot.
- Extract hard-coded certificates used to verify the authenticity of SOAP messages, allowing them to reuse the key and craft legitimate messages.
- Exploit the lack of file extension verification and upload any file by adding the .png extension to the name.
These vulnerabilities could be exploited individually or in a chain, in order to gain complete control of the device and connected systems.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
References
VDE CERT - https://sauter.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-060.json