Plattform
other
Komponente
device-sphere
Behoben in
1.1.0
2.3.3
CVE-2025-41715 describes a critical vulnerability in Device Sphere affecting versions 0.0.0 through 2.3.3. This vulnerability allows an unauthenticated remote attacker to gain unauthorized access to the application's database. Successful exploitation could lead to data breaches and potential system compromise. A patch is available in version 2.3.3.
The core of this vulnerability lies in the complete lack of authentication protecting the Device Sphere database. An attacker can directly access the database without needing any credentials. This provides a direct pathway to sensitive data stored within the database, including user credentials, configuration information, and potentially application-specific data. The attacker could exfiltrate this data, modify it, or even use it to gain control of the underlying system. The lack of authentication significantly broadens the attack surface, making it easier for malicious actors to exploit.
CVE-2025-41715 has been publicly disclosed on 2025-09-24. The CVSS score of 9.8 indicates a critical severity. There are currently no known public proof-of-concept exploits available, but the ease of exploitation due to the lack of authentication suggests a high probability of exploitation if the vulnerability remains unpatched. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations deploying Device Sphere in environments with direct internet exposure are at significant risk. This includes deployments where the application is hosted on shared hosting platforms or where firewall configurations are not properly secured. Any environment where sensitive data is stored within the Device Sphere database is considered at risk.
disclosure
Exploit-Status
EPSS
0.14% (34% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-41715 is to immediately upgrade Device Sphere to version 2.3.3 or later, which includes the necessary authentication controls. If upgrading is not immediately feasible, consider implementing a temporary workaround by placing a Web Application Firewall (WAF) or reverse proxy in front of Device Sphere and configuring it to restrict access to the database port. This can act as a barrier, requiring authentication before database access is permitted. Additionally, review existing firewall rules to ensure only authorized IP addresses can access the database server. After upgrading, confirm the vulnerability is resolved by attempting to access the database via a web browser or other client without providing any credentials; access should be denied.
Aktualisieren Sie Device Sphere auf Version 1.1.0 oder höher, oder auf Version 2.3.3 oder höher. Dies behebt die fehlende Authentifizierung für den Datenbankzugriff. Weitere Details zur Aktualisierung finden Sie in der Sicherheitsankündigung des Anbieters.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-41715 is a critical vulnerability in Device Sphere versions 0.0.0–2.3.3 that allows unauthenticated remote access to the database, potentially leading to data compromise.
If you are using Device Sphere versions 0.0.0 through 2.3.3, you are potentially affected by this vulnerability. Immediate action is required.
Upgrade Device Sphere to version 2.3.3 or later to resolve the vulnerability. As a temporary workaround, implement a WAF or reverse proxy to restrict database access.
While no public exploits are currently known, the ease of exploitation suggests a high probability of exploitation if the vulnerability remains unpatched.
Refer to the Device Sphere official security advisory for detailed information and updates regarding CVE-2025-41715.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.