Critical Revolution Pi Security Flaws: How to Protect Industrial IoT Devices from Exploitation

In the rapidly evolving world of industrial automation, the need for robust cybersecurity protocols is more acute than ever, especially with the proliferation of smart devices in critical infrastructure sectors worldwide. One device that epitomizes both the promise and peril of Industry 4.0 is the KUNBUS Revolution Pi, a modular industrial PC ecosystem designed for flexibility, efficiency, and compatibility. Yet, a recent disclosure has thrust the Revolution Pi into the cybersecurity spotlight, as vulnerabilities with potentially devastating consequences have come to light.

Understanding the KUNBUS Revolution Pi​

KUNBUS GmbH, headquartered in Germany, has positioned the Revolution Pi as an open, Raspberry Pi-based solution catering to diverse industrial needs including Critical Manufacturing, Energy, Transportation Systems, and Water and Wastewater Systems. Its modular nature and Linux underpinnings have made it a favorite among engineers and system integrators seeking scalable and customizable industrial control systems.
However, as with many devices bridging IT and OT (operational technology), Revolution Pi's openness and flexibility can also introduce pathways for exploitation if secure practices are not meticulously followed.

The Latest Security Advisory: Scope and Severity​

On May 1, 2025, CISA (the Cybersecurity and Infrastructure Security Agency) published ICS Advisory ICSA-25-121-01 detailing multiple high-severity vulnerabilities in the KUNBUS Revolution Pi ecosystem, specifically affecting certain versions of the Revolution Pi OS Bookworm and PiCtory packages. The technical and operational ramifications of these vulnerabilities extend well beyond isolated device compromise—threatening the integrity of critical infrastructure on a global scale.

Key Details at a Glance​

• CVSS v4 Score: Up to 9.3 (critical severity)
• Exploitable Remotely: Yes
• Attack Complexity: Low
• Impacted Products: Revolution Pi OS Bookworm (01/2025 and earlier), Revolution Pi PiCtory (2.5.0 through 2.11.1)
• Vulnerabilities:
• Missing Authentication for Critical Function (CWE-306)
• Authentication Bypass by Primary Weakness (CWE-305)
• Improper Neutralization of Server-Side Includes (SSI) (CWE-97)
• Sectors Affected: Critical Manufacturing, Energy, Transportation Systems, Water/Wastewater
• Reported by: Adam Bromiley of Pen Test Partners

Dissecting the Vulnerabilities​

1. Missing Authentication for Critical Function (CVE-2025-24522)​

The most severe vulnerability centers on the absence of default authentication in the Node-RED server provided with Revolution Pi OS Bookworm (up to version 01/2025). Node-RED, a visually-driven tool empowering users to wire together hardware devices, APIs, and online services, is frequently deployed by integrators for its ease of use.
Impact:
Without enforced authentication, any unauthenticated, remote actor can access the Node-RED interface and potentially execute arbitrary commands, take control of critical processes, or hijack underlying operating systems. Based on public CVE records, this class of vulnerability is particularly damaging in industrial environments where remote and often unattended deployments are common.

• CVSS v3.1 Base Score: 10.0 (Critical)
• CVSS v4 Base Score: 9.3

2. Authentication Bypass by Primary Weakness (CVE-2025-32011)​

A subsequent vulnerability afflicting PiCtory (2.5.0 through 2.11.1) was attributed to a path traversal flaw, enabling remote attackers to sidestep authentication mechanisms. By crafting specific requests, adversaries could gain unauthorized access to sensitive resources and administration features.
Impact:
The ability to bypass authentication opens the floodgates for lateral movement, privilege escalation, or exfiltration of configuration data, all without needing valid credentials. Path traversal vulnerabilities, especially in web-facing industrial applications, are known attack vectors for ransomware and persistent threat actors, according to multiple ICS security advisories.

• CVSS v3.1 Base Score: 9.8 (Critical)
• CVSS v4 Base Score: 9.3

3. Improper Neutralization of Server-Side Includes (SSI) (CVE-2025-35996 & CVE-2025-36558)​

Two closely-related vulnerabilities stem from improper neutralization of user-controlled input within web pages. In the first (CVE-2025-35996), an attacker with authentication can upload a specially-named configuration file, leading to cross-site scripting (XSS) if the filename is not properly sanitized.
The second (CVE-2025-36558) leverages the sso_token used for authentication: if an attacker crafts an authentication URL with embedded malicious scripts, those scripts could be executed in the context of unsuspecting users.
Impact:
XSS and SSI vulnerabilities constitute a persistent risk in web interfaces, enabling attackers to hijack sessions, steal cookies, inject malicious payloads, and manipulate configurations. While partial mitigation exists (e.g., requiring some degree of user interaction or authentication), the broad attack surface of ICS web interfaces amplifies these threats.

• CVSS v3.1 Scores: 9.0 (CVE-2025-35996), 6.1 (CVE-2025-36558)
• CVSS v4 Scores: 8.5, 5.1

Technical Assessment and Exploitability​

It is important to note that all four vulnerabilities can be exploited remotely with low attack complexity, and in the case of the Node-RED default authentication issue, no prior authentication is required at all—this dramatically heightens real-world risk, especially when devices are connected to exposed networks or the wider internet.
The use of well-documented, open platforms like Node-RED is a double-edged sword: while they grant flexibility and a robust ecosystem, their wider adoption means attackers can easily obtain practice targets and detailed documentation for exploitation.
CISA's advisory references the system's real-world deployment across critical national infrastructure. Advanced threat actors, including those aligned with nation-state interests, have repeatedly targeted similar weaknesses in IoT and ICS platforms, as shown in numerous past campaigns.

Notable Strengths and Industry Best Practices​

Despite these revelations, it is worth emphasizing several key strengths of the Revolution Pi ecosystem as reported by the security and industrial automation community:

• Strong vendor response: KUNBUS has acted quickly to develop patches, with version 2.12 of PiCtory addressing the known authentication and path traversal issues. The company has also published extensive guidance for immediate mitigation—including a secure-by-default configuration guide and a commitment to deploy a graphical Cockpit plugin by April 2025.
• Transparency: The vulnerabilities were disclosed responsibly, with open collaboration between Pen Test Partners, KUNBUS, and CISA, setting a positive example for the sector.
• User Support: Multiple avenues for support are available, including direct package downloads, graphical update interfaces, and comprehensive documentation.

These features bolster confidence in KUNBUS as an ICS vendor committed to continuous improvement rather than obscuring or minimizing risk.

Residual Risks and Ongoing Weaknesses​

While patches and mitigations are available, several residual risks and underlying challenges should be squarely acknowledged:

• Legacy Deployments: A significant portion of the Revolution Pi install base may be running legacy OS or PiCtory versions, particularly in highly-validated or regulated industrial environments where change cycles can be measured in years rather than weeks.
• Default Configuration Hazards: The reliance on users to manually enable authentication and follow secure configuration guidance is a longstanding weakness in embedded and industrial software. Many operators may simply be unaware of the risks or lack the IT competence to harden devices effectively.
• Supply Chain and Connectivity: Given Revolution Pi's global footprint—in sectors ranging from water treatment plants to energy grids—there is an unavoidable risk that some deployments remain directly or indirectly exposed to the internet, contravening both CISA and vendor best practices.

The risk of "security by obscurity" or the assumption that factory, plant, or field deployments are invisible to attackers has been thoroughly disproven in recent ICS incidents, including high-profile cases like Triton/Trisis or Stuxnet. Tools for wide-scale scanning of IoT and ICS endpoints (such as Shodan or Censys) have rendered such defenses obsolete.

Critical Infrastructure at Stake​

Many industrial operators deploy Revolution Pi as a cost-effective alternative to proprietary PLCs (Programmable Logic Controllers) or as integration hubs for brownfield sensor networks, SCADA gateways, or edge analytics. The breadth of industrial sectors affected by these vulnerabilities cannot be overstated.
Far from being mere theory, adversaries have shown repeated willingness and technical prowess to exploit gaps in industrial and OT security for sabotage, extortion, or reconnaissance. ICS-CERT advisories have previously documented real-world attacks where similar authentication and input-neutralization flaws led to loss of control, operational downtime, or manipulation of safety systems.

CISA and Vendor Recommendations: Immediate and Long-Term Steps​

Both KUNBUS and CISA have provided actionable, layered defense strategies to contain the risk:

• Update Immediately: Upgrade PiCtory to version 2.12 via the KUNBUS management UI (Cockpit) or by direct package download (official KUNBUS resource).
• Activate Authentication: Enable authentication on all exposed interfaces, especially Node-RED instances. Guidance is available in the official KUNBUS remediation document (remediation PDF).
• Network Isolation: Place all control system devices behind strong firewalls; strictly segregate business and control networks.
• Minimize Exposure: Never permit direct internet access to industrial control devices.
• Use Secure Remote Access Protocols: When remote access is inevitable, modern, up-to-date VPN solutions should be employed. However, both CISA and the infosec community repeatedly warn that VPNs are only as secure as their weakest end-point.
• Ongoing Risk Assessment: Conduct thorough, regular reviews of ICS asset inventories, exposure, and patch levels; follow up with robust impact analysis before implementing mitigation measures.

Additional resources are available through CISA for operators seeking to bolster their defensive posture, such as Defense in Depth strategies and control system security best practices.

Broader Lessons for the Industrial IoT Ecosystem​

The Revolution Pi case is emblematic of wider trends reshaping industrial cybersecurity, highlighting:

• The necessity for "secure by default" approaches in all critical edge and IoT devices.
• The tension between enabling user control and maintaining strong, baked-in security measures.
• The growing role of coordinated vulnerability disclosure and the need for global best practice sharing, as evidenced by the prompt reporting and public advisories in this case.

During cross-referencing, several public references (CVE-2025-24522, CVE-2025-32011) confirm the technical severity and affected product list as detailed above. No credible, independent reports contradict the vendor or CISA statements at the time of writing.
However, the security posture of any given Revolution Pi deployment hinges ultimately on the rigor with which updates and hardening are enforced in the real world. As the industrial threat landscape matures, regulators and industry bodies may begin mandating more proactive security lifecycle management across all smart device vendors.

No Evidence of Exploitation—Yet​

At the time of advisory publication, neither CISA nor KUNBUS have received credible reports of in-the-wild exploitation targeting these specific Revolution Pi vulnerabilities. Historically, however, lag times between disclosure and attack have narrowed significantly, underscoring the urgency of prompt patching and configuration.
Security professionals recommend continuous vigilance, routine network traffic monitoring for signs of anomalous activity, and following established incident response plans should compromise be suspected.

Conclusion: A Cautionary Tale and a Call to Action​

The KUNBUS Revolution Pi vulnerabilities illustrated in CISA's May 2025 advisory serve as a clarion call to the entire industrial automation and critical infrastructure community. As the boundaries between digital and physical systems blur, ensuring the continued operation and safety of energy grids, water systems, and transport networks increasingly relies on robust, continuously-updated cybersecurity practices.
Operators, administrators, and integrators leveraging Revolution Pi or similar ICS technologies must prioritize urgent patching, leverage vendor resources for secure configuration, and ingrain best practices into the operational lifecycle—not as an afterthought, but as the cornerstone of resilience. The openness and cost-efficiency that drive adoption in industrial IoT must never come at the expense of security.
The lessons from KUNBUS's responsive approach should encourage further transparency and sector-wide collaboration. But with attackers constantly searching for the next soft spot in our global infrastructure, complacency is not an option. Revolution Pi’s journey underscores both the promise and pitfalls of digital transformation on the factory floor—a narrative that is far from over, but one that demands our unwavering attention.

---

Source: CISA KUNBUS GmbH Revolution Pi | CISA