Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    4 vulnerabilities by Viessmann

    CVE-2025-9495 (GCVE-0-2025-9495)

    Vulnerability from nvd – Published: 2025-09-23 01:16 – Updated: 2025-09-23 13:33
    VLAI
    Title
    Viessmann Vitogate 300 Authentication Bypass
    Summary
    The Vitogate 300 web interface fails to enforce proper server-side authentication and relies on frontend-based authentication controls. This allows an attacker to simply modify HTML elements in the browser’s developer tools to bypass login restrictions. By removing specific UI elements, an attacker can reveal the hidden administration menu, giving them full control over the device.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-602 - Client-Side Enforcement of Server-Side Security
    Assigner
    Impacted products
    Vendor Product Version
    Viessmann Vitogate 300 Affected: 1 , < 3.0.0.0 (date)
    Create a notification for this product.
    Credits
    Souvik Kandar of MicroSec (microsec.io)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-9495",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-23T13:33:41.544746Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-23T13:33:47.319Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Vitogate 300",
              "vendor": "Viessmann",
              "versions": [
                {
                  "lessThan": "3.0.0.0",
                  "status": "affected",
                  "version": "1",
                  "versionType": "date"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Souvik Kandar of MicroSec (microsec.io)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The Vitogate 300 web interface fails to enforce proper server-side authentication and relies on frontend-based authentication controls. This allows an attacker to simply modify HTML elements in the browser\u2019s developer tools to bypass login restrictions. By removing specific UI elements, an attacker can reveal the hidden administration menu, giving them full control over the device.\u003cbr\u003e"
                }
              ],
              "value": "The Vitogate 300 web interface fails to enforce proper server-side authentication and relies on frontend-based authentication controls. This allows an attacker to simply modify HTML elements in the browser\u2019s developer tools to bypass login restrictions. By removing specific UI elements, an attacker can reveal the hidden administration menu, giving them full control over the device."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-602",
                  "description": "CWE-602 Client-Side Enforcement of Server-Side Security",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-23T01:16:53.619Z",
            "orgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f",
            "shortName": "Carrier"
          },
          "references": [
            {
              "url": "https://https://www.corporate.carrier.com/product-security/advisories-resources/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003eThese\nvulnerabilities have been fixed with Vitogate 300 software version 3.1.0.1. \u003c/p\u003e\n\n\u003cp\u003eCustomers\nare strongly encouraged to upgrade by downloading software version 3.1.0.1 or newer at the\n\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://connectivity.viessmann-climatesolutions.com/gb/mp-fp/vitogate/vitogate-300-bn-mb.html\"\u003eVitogate\n300 website.\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
                }
              ],
              "value": "These\nvulnerabilities have been fixed with Vitogate 300 software version 3.1.0.1. \n\n\n\nCustomers\nare strongly encouraged to upgrade by downloading software version 3.1.0.1 or newer at the\nVitogate\n300 website."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Viessmann Vitogate 300 Authentication Bypass",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f",
        "assignerShortName": "Carrier",
        "cveId": "CVE-2025-9495",
        "datePublished": "2025-09-23T01:16:53.619Z",
        "dateReserved": "2025-08-26T17:40:58.043Z",
        "dateUpdated": "2025-09-23T13:33:47.319Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-9494 (GCVE-0-2025-9494)

    Vulnerability from nvd – Published: 2025-09-23 01:12 – Updated: 2025-09-23 13:34
    VLAI
    Title
    Viessmann Vitogate 300 OS Command Injection
    Summary
    An OS command injection vulnerability has been discovered in the Vitogate 300, which can be exploited by malicious users to compromise affected installations. Specifically, the `/cgi-bin/vitogate.cgi` endpoint is affected, when the `form` JSON parameter is set to `form-0-2`. The vulnerability stems from the fact that that function at offset 0x21c24 does not properly sanitize supplied input before interpolating it into a format string which gets passed to `popen()`. Consequently, an authenticated attacker is able to inject arbitrary OS commands and thus gain code execution on affected devices.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Viessmann Vitogate 300 Affected: 1 , < 3.1.0.0 (SKU)
    Create a notification for this product.
    Date Public
    2025-09-22 16:00
    Credits
    adhkr of LuwakLab working with Trend Micro Zero Day Initiative
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-9494",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-23T13:33:59.911370Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-23T13:34:06.974Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Vitogate 300",
              "vendor": "Viessmann",
              "versions": [
                {
                  "lessThan": "3.1.0.0",
                  "status": "affected",
                  "version": "1",
                  "versionType": "SKU"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "adhkr of LuwakLab working with Trend Micro Zero Day Initiative"
            }
          ],
          "datePublic": "2025-09-22T16:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An OS command injection vulnerability has been discovered in the Vitogate 300, which can be exploited by malicious users to compromise affected installations. Specifically, the `/cgi-bin/vitogate.cgi` endpoint is affected, when the `form` JSON parameter is set to `form-0-2`. The vulnerability stems from the fact that that function at offset 0x21c24 does not properly sanitize supplied input before interpolating it into a format string which gets passed to `popen()`. Consequently, an authenticated attacker is able to inject arbitrary OS commands and thus gain code execution on affected devices.\u003cbr\u003e"
                }
              ],
              "value": "An OS command injection vulnerability has been discovered in the Vitogate 300, which can be exploited by malicious users to compromise affected installations. Specifically, the `/cgi-bin/vitogate.cgi` endpoint is affected, when the `form` JSON parameter is set to `form-0-2`. The vulnerability stems from the fact that that function at offset 0x21c24 does not properly sanitize supplied input before interpolating it into a format string which gets passed to `popen()`. Consequently, an authenticated attacker is able to inject arbitrary OS commands and thus gain code execution on affected devices."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-23T01:12:17.459Z",
            "orgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f",
            "shortName": "Carrier"
          },
          "references": [
            {
              "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThese\nvulnerabilities have been fixed with Vitogate 300 software version 3.1.0.1. \u003c/p\u003e\n\n\u003cp\u003eCustomers\nare strongly encouraged to upgrade by downloading software version 3.1.0.1 at the\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://connectivity.viessmann-climatesolutions.com/gb/mp-fp/vitogate/vitogate-300-bn-mb.html\"\u003eVitogate\n300\u0026nbsp;\u003c/a\u003ewebsite.\u003cb\u003e\u003c/b\u003e\u003c/p\u003e"
                }
              ],
              "value": "These\nvulnerabilities have been fixed with Vitogate 300 software version 3.1.0.1. \n\n\n\nCustomers\nare strongly encouraged to upgrade by downloading software version 3.1.0.1 at the\u00a0Vitogate\n300\u00a0website."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Viessmann Vitogate 300 OS Command Injection",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f",
        "assignerShortName": "Carrier",
        "cveId": "CVE-2025-9494",
        "datePublished": "2025-09-23T01:12:17.459Z",
        "dateReserved": "2025-08-26T17:40:54.110Z",
        "dateUpdated": "2025-09-23T13:34:06.974Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-9495 (GCVE-0-2025-9495)

    Vulnerability from cvelistv5 – Published: 2025-09-23 01:16 – Updated: 2025-09-23 13:33
    VLAI
    Title
    Viessmann Vitogate 300 Authentication Bypass
    Summary
    The Vitogate 300 web interface fails to enforce proper server-side authentication and relies on frontend-based authentication controls. This allows an attacker to simply modify HTML elements in the browser’s developer tools to bypass login restrictions. By removing specific UI elements, an attacker can reveal the hidden administration menu, giving them full control over the device.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-602 - Client-Side Enforcement of Server-Side Security
    Assigner
    Impacted products
    Vendor Product Version
    Viessmann Vitogate 300 Affected: 1 , < 3.0.0.0 (date)
    Create a notification for this product.
    Credits
    Souvik Kandar of MicroSec (microsec.io)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-9495",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-23T13:33:41.544746Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-23T13:33:47.319Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Vitogate 300",
              "vendor": "Viessmann",
              "versions": [
                {
                  "lessThan": "3.0.0.0",
                  "status": "affected",
                  "version": "1",
                  "versionType": "date"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Souvik Kandar of MicroSec (microsec.io)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The Vitogate 300 web interface fails to enforce proper server-side authentication and relies on frontend-based authentication controls. This allows an attacker to simply modify HTML elements in the browser\u2019s developer tools to bypass login restrictions. By removing specific UI elements, an attacker can reveal the hidden administration menu, giving them full control over the device.\u003cbr\u003e"
                }
              ],
              "value": "The Vitogate 300 web interface fails to enforce proper server-side authentication and relies on frontend-based authentication controls. This allows an attacker to simply modify HTML elements in the browser\u2019s developer tools to bypass login restrictions. By removing specific UI elements, an attacker can reveal the hidden administration menu, giving them full control over the device."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-602",
                  "description": "CWE-602 Client-Side Enforcement of Server-Side Security",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-23T01:16:53.619Z",
            "orgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f",
            "shortName": "Carrier"
          },
          "references": [
            {
              "url": "https://https://www.corporate.carrier.com/product-security/advisories-resources/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003eThese\nvulnerabilities have been fixed with Vitogate 300 software version 3.1.0.1. \u003c/p\u003e\n\n\u003cp\u003eCustomers\nare strongly encouraged to upgrade by downloading software version 3.1.0.1 or newer at the\n\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://connectivity.viessmann-climatesolutions.com/gb/mp-fp/vitogate/vitogate-300-bn-mb.html\"\u003eVitogate\n300 website.\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
                }
              ],
              "value": "These\nvulnerabilities have been fixed with Vitogate 300 software version 3.1.0.1. \n\n\n\nCustomers\nare strongly encouraged to upgrade by downloading software version 3.1.0.1 or newer at the\nVitogate\n300 website."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Viessmann Vitogate 300 Authentication Bypass",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f",
        "assignerShortName": "Carrier",
        "cveId": "CVE-2025-9495",
        "datePublished": "2025-09-23T01:16:53.619Z",
        "dateReserved": "2025-08-26T17:40:58.043Z",
        "dateUpdated": "2025-09-23T13:33:47.319Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-9494 (GCVE-0-2025-9494)

    Vulnerability from cvelistv5 – Published: 2025-09-23 01:12 – Updated: 2025-09-23 13:34
    VLAI
    Title
    Viessmann Vitogate 300 OS Command Injection
    Summary
    An OS command injection vulnerability has been discovered in the Vitogate 300, which can be exploited by malicious users to compromise affected installations. Specifically, the `/cgi-bin/vitogate.cgi` endpoint is affected, when the `form` JSON parameter is set to `form-0-2`. The vulnerability stems from the fact that that function at offset 0x21c24 does not properly sanitize supplied input before interpolating it into a format string which gets passed to `popen()`. Consequently, an authenticated attacker is able to inject arbitrary OS commands and thus gain code execution on affected devices.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Viessmann Vitogate 300 Affected: 1 , < 3.1.0.0 (SKU)
    Create a notification for this product.
    Date Public
    2025-09-22 16:00
    Credits
    adhkr of LuwakLab working with Trend Micro Zero Day Initiative
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-9494",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-23T13:33:59.911370Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-23T13:34:06.974Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Vitogate 300",
              "vendor": "Viessmann",
              "versions": [
                {
                  "lessThan": "3.1.0.0",
                  "status": "affected",
                  "version": "1",
                  "versionType": "SKU"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "adhkr of LuwakLab working with Trend Micro Zero Day Initiative"
            }
          ],
          "datePublic": "2025-09-22T16:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An OS command injection vulnerability has been discovered in the Vitogate 300, which can be exploited by malicious users to compromise affected installations. Specifically, the `/cgi-bin/vitogate.cgi` endpoint is affected, when the `form` JSON parameter is set to `form-0-2`. The vulnerability stems from the fact that that function at offset 0x21c24 does not properly sanitize supplied input before interpolating it into a format string which gets passed to `popen()`. Consequently, an authenticated attacker is able to inject arbitrary OS commands and thus gain code execution on affected devices.\u003cbr\u003e"
                }
              ],
              "value": "An OS command injection vulnerability has been discovered in the Vitogate 300, which can be exploited by malicious users to compromise affected installations. Specifically, the `/cgi-bin/vitogate.cgi` endpoint is affected, when the `form` JSON parameter is set to `form-0-2`. The vulnerability stems from the fact that that function at offset 0x21c24 does not properly sanitize supplied input before interpolating it into a format string which gets passed to `popen()`. Consequently, an authenticated attacker is able to inject arbitrary OS commands and thus gain code execution on affected devices."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-23T01:12:17.459Z",
            "orgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f",
            "shortName": "Carrier"
          },
          "references": [
            {
              "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThese\nvulnerabilities have been fixed with Vitogate 300 software version 3.1.0.1. \u003c/p\u003e\n\n\u003cp\u003eCustomers\nare strongly encouraged to upgrade by downloading software version 3.1.0.1 at the\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://connectivity.viessmann-climatesolutions.com/gb/mp-fp/vitogate/vitogate-300-bn-mb.html\"\u003eVitogate\n300\u0026nbsp;\u003c/a\u003ewebsite.\u003cb\u003e\u003c/b\u003e\u003c/p\u003e"
                }
              ],
              "value": "These\nvulnerabilities have been fixed with Vitogate 300 software version 3.1.0.1. \n\n\n\nCustomers\nare strongly encouraged to upgrade by downloading software version 3.1.0.1 at the\u00a0Vitogate\n300\u00a0website."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Viessmann Vitogate 300 OS Command Injection",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f",
        "assignerShortName": "Carrier",
        "cveId": "CVE-2025-9494",
        "datePublished": "2025-09-23T01:12:17.459Z",
        "dateReserved": "2025-08-26T17:40:54.110Z",
        "dateUpdated": "2025-09-23T13:34:06.974Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }