Platform
other
Component
device-sphere
Fixed in
1.1.0
2.3.3
CVE-2025-41715 describes a critical vulnerability in Device Sphere affecting versions 0.0.0 through 2.3.3. This vulnerability allows an unauthenticated remote attacker to gain unauthorized access to the application's database. Successful exploitation could lead to data breaches and potential system compromise. A patch is available in version 2.3.3.
The core of this vulnerability lies in the complete lack of authentication protecting the Device Sphere database. An attacker can directly access the database without needing any credentials. This provides a direct pathway to sensitive data stored within the database, including user credentials, configuration information, and potentially application-specific data. The attacker could exfiltrate this data, modify it, or even use it to gain control of the underlying system. The lack of authentication significantly broadens the attack surface, making it easier for malicious actors to exploit.
CVE-2025-41715 has been publicly disclosed on 2025-09-24. The CVSS score of 9.8 indicates a critical severity. There are currently no known public proof-of-concept exploits available, but the ease of exploitation due to the lack of authentication suggests a high probability of exploitation if the vulnerability remains unpatched. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.14% (34% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-41715 is to immediately upgrade Device Sphere to version 2.3.3 or later, which includes the necessary authentication controls. If upgrading is not immediately feasible, consider implementing a temporary workaround by placing a Web Application Firewall (WAF) or reverse proxy in front of Device Sphere and configuring it to restrict access to the database port. This can act as a barrier, requiring authentication before database access is permitted. Additionally, review existing firewall rules to ensure only authorized IP addresses can access the database server. After upgrading, confirm the vulnerability is resolved by attempting to access the database via a web browser or other client without providing any credentials; access should be denied.
Update Device Sphere to version 1.1.0 or higher, or to version 2.3.3 or higher. This will correct the missing authentication for database access. See the vendor security advisory for more details on the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-41715 is a critical vulnerability in Device Sphere versions 0.0.0–2.3.3 that allows unauthenticated remote access to the database, potentially leading to data compromise.
If you are using Device Sphere versions 0.0.0 through 2.3.3, you are potentially affected by this vulnerability. Immediate action is required.
Upgrade Device Sphere to version 2.3.3 or later to resolve the vulnerability. As a temporary workaround, implement a WAF or reverse proxy to restrict database access.
While no public exploits are currently known, the ease of exploitation suggests a high probability of exploitation if the vulnerability remains unpatched.
Refer to the Device Sphere official security advisory for detailed information and updates regarding CVE-2025-41715.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.