Multiple Critical Vulnerabilities in Sprecher Automation SPRECON-E-C/-E-P/-E-T3

Title

Multiple Critical Vulnerabilities

Product

Sprecher Automation SPRECON-E-C/-E-P/-E-T3

Vulnerable Version

See vulnerable versions below

Fixed Version

See solution section below

CVE Number

CVE-2022-4333, CVE-2022-4332, CVE-2025-41741, CVE-2025-41742, CVE-2025-41743, CVE-2025-41744

Impact

critical

Homepage

https://www.sprecher-automation.com

Found

26.08.2022

By

Steffen Robertz, Christian Hager (Office Vienna) | SEC Consult Vulnerability Lab

Management summary

The SPRECON-E-C/-E-P/-E-T3 systems by Sprecher Automation were affected by multiple critical vulnerabilities related to firmware integrity, secure boot, static keys/passwords, hard-coded vendor accounts and transport encryption. An attacker with access to firmware files, network traffic or physical access to a device could extract sensitive keys and credentials, decrypt communications, or analyze and potentially introduce manipulated components. The vendor provides updates and workarounds, which should be reviewed and applied promptly.

Vendor description

"Sprecher Automation provides products and solutions for power supply and process automation. We secure critical infrastructures and optimise complex energy and industry processes. [...] Quality, availability and security – those are not only our customers's requirements, but also goals we are striving for. Due to that, for example, the hard- and software development are located in Austria and Germany. We produce exclusively in Austria – starting with the production of single elements, to system checks and practical inhouse testing."

Source: https://www.sprecher-automation.com/en/company

Business recommendation

The vendor provides updated versions as well as workaround information in their security advisories. Users should verify whether the patches are installed already, otherwise patch immediately.

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.

Vulnerability overview/description

1) Leak of Firmware Signing Private Key (CVE-2025-41741)

Sprecher signs its firmware update files to prevent an attacker from loading manipulated update files. However, each PLC contains the globally valid private signing key, as it is also used to sign backups. An attacker, who obtains the key is able to ship validly signed, modified firmware updates. 

The security vulnerability has been resolved in firmware version 9 and above. Further details can be found in the advisory of the vendor. In previous versions the affected feature can be deactivated by the customer. The stated key can only be used in conjunction with the backup feature.

Affected products: SPRECON-E-C/-E-P/-E CPU Modul  

2) Missing Secure-Boot Mechanism (CVE-2022-4332)

The PLC is able to detect secure boot violations correctly. However, the events are not handled properly. They only output a warning to the boot log, but do not prevent the device's operation. Thus, anybody with physical access to the device can modify the firmware and potentially include backdoors.

The security vulnerability has been resolved in firmware version 8.71a and above, as well as 8.64m. Further details can be found in the advisory of the vendor. In current and previous versions the affected feature can be deactivated by the customer.

Affected products: SPRECON-E-C/-E-P/-E

3) Unencrypted External Flash Memory (CVE-2022-4332)

The external flash memory can be dumped using tools such as the Xgecu T56. This allows an attacker with physical access to read all files and thus gain knowledge about sensitive files such as passwords and private keys.

The security vulnerability has been resolved in firmware version 9 and above. Further details can be found in the advisory of the vendor. In current and previous versions the affected feature can be deactivated by the customer.

Affected products: SPRECON-E-C/-E-P/-E-T3

4) Usage of static passwords (CVE-2025-41742)

Various static passwords / key material can be discovered in the firmware. They serve  different use cases, such as hard-coded user accounts, as well as encryption for settings and configuration files. This allows an attacker to decrypt configuration files, modify them and properly encrypt them again.

According to the vendor, the documented static identity string does not serve a security purpose in the system and is used as an identifier for maintenance. Using the default identifier can lead to the targeted system being misidentified during maintenance.

Affected products: SPRECON-E-C/-E-P/-E-T3

5) Hard-coded Vendor Accounts (CVE-2022-4333)

Two hard-coded vendor accounts were revealed in the devices. These accounts are shipped with every update file and can be used by the vendor e.g. for support access.

These documented accounts can be activated or deactivated in the configuration. These accounts are additionally secured with 2FA in firmware version 8.71g.

Affected products: SPRECON-E-C/-E-P/-E-T3

6) Decrypt Firmware Update Files (CVE-2025-41743)

Firmware update files include hard-coded accounts from vulnerability 5 and can be decrypted using an XOR algorithm and a static password. This allows an attacker to further analyze PLC components as well as gaining knowledge of private keys and hard-coded accounts without requiring physical access to any device.

The signature and encryption mechanism have been modified and the security vulnerability has been resolved in version 8.71 and above. Further details can be found in the advisory of the vendor.

Affected products: SPRECON-E-C/-E-P/-E-T3

7) Insecure Transport Encryption (CVE-2025-41744)

The PLC's webserver and the connection to the Sprecher Engineering Center software use the same static default key on all devices. An attacker who gains access to the private key via vulnerability 3 or 6 can thus decrypt all traffic in a man-in-the-middle position. Thus, an attacker would be able to change configurations and read connection passwords.

According to the vendor, those certificates are only used during initial commissioning and users can find further information to change the certificates in the documentation/guideline "SPRECON Grundhärtung" (basic hardening). The vendor's hardening guide makes it clear that it is both possible and recommended to change the default certificate. 

Documentation: 94.2.913.50en SPRECON Basic Hardening

Proof of concept

1) Leak of Firmware Signing Private Key (CVE-2025-41741)

Backups are restored by the same command flow as regular update files. Thus, backups need to be validly signed as well. For this, Sprecher's private key is required. The following openssl command signs the created backup:

openssl dgst -sha256 -sign ${SSM_CERT}/.backup.key -passin file:${SSM_CERT}/.pass -out
${SSM_SECURE_DIR}/image.sha256 ${SSM_SECURE_DIR}/image.zip 2>/dev/null

The private key and password are both stored in the same filesystem and can be obtained via the decrypted firmware update file (vulnerability 6) or the unencrypted flash memory (vulnerability 3).

2) Missing Secure-Boot Mechanism (CVE-2022-4332)

The main SoC of the SPRECON E-C-94 is an i.MX6. The board does not fully enable High-Assurance Boot (HAB). Thus, the firmware and bootloader can be modified. The modification is detected, however, since secure boot is not fully enabled, the violation will not be handled. The following boot log  can be seen on the device's service connector (X6). The first bootline was manipulated to include the string "SECTEST".

REL_UBOOT_SECTEST_2015_07_RC7 SPL (Mar 11 2022 - 10:55:26)
Booting from SPI
Image Entry Point: 0x17800000
Image Load Address: 0x177FFFC0
Image Size: 0x48000
Authenticate image from DDR location 0x177fffc0...
Authenticated Image Size = 0x46000
Load Addr = 0x17800000
HAB not enabled
U-Boot Authentication Successful
[...]
Authenticate image from DDR location 0x12000000...
Authenticated Image Size = 0x7bc000
HAB not enabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
[...]
zImage Authentication Successful

3) Unencrypted External Flash Memory (CVE-2022-4332)

The main memory is a BGA153 eMMC flash memory. Thus, it can be read by multiple tools such as the Xgecu T56. By dumping its contents, an attacker can extract password hashes from the `/etc/passwd` or `/etc/shadow` file and gain access to the private key from vulnerability 1.

4) Usage of static passwords (CVE-2025-41742)

4.1) Static Passwords in Sprecher Engineering Studio

Two different passwords can be used to call an internal function. This can be seen in following code snippet:

iVar3 = _strcmp(local_28,"**redacted**");
if (((iVar3 == 0) || (iVar3 = _strcmp(local_28,"**redacted**"), iVar3 == 0)) ||(iVar3 = _strcmp(local_28,"**redacted**"), iVar3 == 0)) {
    FUN_10001780(local_28,0x20,"XXX");
}

Unfortunately, we were not able to fully determine the use case of these credentials.

4.2) Static Passwords in Sprecher Engineering Studio Configuration files

When exporting configurations from the Engineering Studio, a .sprXecz file will be created. It is encrypted using a static password.

4.3) Webserver Settings Export

The webserver exports its settings as .jzp file. However, this is just a renamed .zip file which uses a static password.

4.4) OpenVPN and IPSEC Settings Export/Import

OpenVPN profiles and IPSEC settings are exported/imported as zip files. They are encrypted with a static password.

5) Hard-coded Vendor Accounts (CVE-2022-4333)

The `/etc/passwd` file and `/etc/shadow` file reveal hard-coded password hashes for the "sprecon" and "spradm" accounts. These accounts are shipped with the update files (tested with official downloadable version 8.71) and there seems to be no option for deleting or changing their passwords.

The usability of the accounts is configurable via the configuration. Details to deactivate the accounts are included in the hardening guidelines.

6) Decrypt Firmware Update Files (CVE-2025-41743)

SPRECON firmware update files are encrypted. However, they use XOR magic and static passwords as encryption method. Due to limited time, we did not reverse engineer the XOR algorithm and instead ran the decoding binaries using QEMU. First, the fwimaker binary was run to create a regular zip file from the XORed .fwi file by running the following command:

qemu-arm -L /usr/arm-linux-gnueabihf ./fwimaker x sce_P9pu244_sc_864l_crypt.fwi extracted.zip

Afterwards the ZIP file can be decompressed and decrypted. An attacker is now able to read the static password hashes and further analyze components of the PLC.

According to the vendor, manipulated firmware update files cannot be flashed anymore, due to the usage of firmware signing.

7) Insecure Transport Encryption (CVE-2025-41744)

The file `/etc/rbac/default.pem` contains a private key which is used for the HTTPS encryption of the webserver. Further, the same key is used to encrypt the communication with the Sprecher Engineering Studio. An attacker can use vulnerability 3 or 6 to obtain the private key and can then decrypt communication in a man-in-the-middle position. The certificate has following fingerprint:

E9:AF:F4:F1:90:83:3C:5B:0B:E2:DF:E1:DF:31:69:B5:C1:EC:90:52

One device using the same certificate was discovered on the internet.

According to the vendor, those certificates are only used during initial commissioning and users can find further information to change the certificates in the documentation/guideline "SPRECON Grundhärtung" (basic hardening). The vendor's hardening guide makes it clear that it is both possible and recommended to change the default certificate of the vendor.

Vulnerable / tested versions

The following firmware version & product has been tested where the vulnerabilites have been identified:

  • Leittechnik Firmware: 8.6.4i on SPRECON E-C-94

According to the vendor, the following products and firmware versions are affected:

  • Issue 1 - CVE-2025-41741) SPRECON-E-C/-E-P/-E CPU Module Version Amsel - PU245 and Falcon - PU244 in firmware version < v9.0
  • Issue 2 & 3 - CVE-2022-4332) SPRECON-E-C/-E-P/-E-T3 (variant PU244x), SPRECON-V460 - firmware <v8.71a (except 8.64m)
  • Issue 4 - CVE-2025-41742) SPRECON-E-C/-E-P/-E-T3
  • Issue 5 - CVE-2022-4333) SPRECON-E-C/-E-P/-E-T3 (variants PU243x, PU244x, MC33/34, SPRECON-EDIR), SPRECON-V460
  • Issue 6 - CVE-2025-41743) SPRECON-E-C/-E-P/-E-T3 in firmware versions <v9.0
  • Issue 7 - CVE-2025-41744) SPRECON-E-C/-E-P/-E-T3

Vendor contact timeline

Our vulnerabilities were identified in August 2022 where a third party directly submitted the vulnerabilities to the vendor. We took over the coordination in November 2023 again also because a vulnerability verification/recheck was planned.

2023-11-23 Contacting vendor through SPRECON contact form on website (https://www.sprecher-automation.com/anfrage-sprecon)
2023-11-24 Vendor responds that vulnerabilities have not been assigned to separate advisories. The vulnerabilities have not yet been fixed as a new security subsystem needs to be implemented. First fixes are scheduled for end of Q1/2024 but maintenance releases have been rolled out to migitate some issues. A full fix is planned for the major product version and afterwards CVEs and details will be published in accordance with E-CERT and BSI.
2024-10-30 Requesting status update of responsible disclosure.
2024-10-31 Sprecher did not yet receive the results of the recheck. Sprecher will clarify the internal state of the responsible disclosure process. Our contact person is not directly working at Sprecher anymore but as a contractor.
2024-12-05 Requesting status update again and a contact at Sprecher.
2024-12-09 No firmware updates for all devices yet. No specific timeline yet, estimated for Q1 2025.
2025-02-10 Requested status update.
2025-03-18 Requested update as the current state of patches is unclear, informing vendor that our contact person has changed as well. No response.
2025-05-19 Requested status update. No response.
2025-07-10 Requested update.
2025-07-14 Sprecher responds that the security contact for our advisory changed and we should contact another person (who was in CC all the communication attempts before).
2025-07-16 Sprecher wants to schedule a short meeting to discuss the current status.
2025-07-18 Exchanging several date suggestions for the meeting.
2025-08-20 Meeting with Sprecher and providing the current state of the advisory.
2025-09-22 Submitting another (different) security advisory to Sprecher.
2025-09-23 Meeting with Sprecher regarding the current state of the vulnerabilities. Scheduling follow-up meeting for 7th October.
2025-10-07 Sprecher cancelled planned meeting on short notice. Our CNA shortly phoned with Sprecher. Setup a new meeting and communicated that a normal responsible disclosure timeline is 3 months.
2025-10-13 Meeting with Sprecher and our CNA and agreeing on a mutual timeline regarding the advisory release. Sprecher will give feedback regarding CVE assignment, provided CVE-2022-4332 and CVE-2022-4333. Vendor will provide information regarding vulnerability 4 until 2025-10-17. SEC Consult removes sensitive information from advisory and that manipulated images cannot be exploited (issue 6) and that the vendor recommends changing certificates (issue 7). The vendor blog post will be released on 24th October and our publication is then planned for 27th October. Sending the current state of the advisory again.
2025-10-15 Asking whether Sprecher received our encrypted email, asking for confirmation. No response from the vendor.
2025-10-17 Preparing the release of the advisory. Sending the final draft of the advisory to Sprecher with a target release date on the 2025-10-27. Contacting CERT@VDE regarding CVE-2022-4332 + CVE-2022-4333.
2025-10-20 Vendor responds that our draft advisory is incorrect, contains already published (from their side) CVEs and requests further coordination for responsible disclosure.
2025-10-21 Contacting CERT@VDE regarding potential support.
2025-10-22 CERT@VDE cannot support our case as Sprecher is not a partner.
2025-10-23 Adjusted timeline again and submitted draft advisory to Sprecher. Asking for a meeting.
2025-11-05 Meeting with vendor, discussing vulnerabilities & next steps, vendor will provide further information as well as feedback to our advisory.
2025-11-05 Vendor provides CVE numbers and links to their advisories.
2025-11-06 Adjusting advisory with feedback of vendor and CVE numbers etc., submitting latest draft version to vendor again.
2025-11-19 Asking the vendor for a status update & feedback.
2025-12-02 Vendor responds with adjusted advisory feedback.
2025-12-15 Informing vendor about internal delays on our side regarding publication.
2026-06-11 Sending adjusted advisory to vendor & proposed publication date (17th June).
2026-06-17 Public release of security advisory.

Solution

The vendor provides relevant updates and/or workarounds for the specific issues in their own advisories:

(PDFs in German)

Workaround

See vendor advisories for the specific workarounds and mitigations.

Advisory URL

https://sec-consult.com/vulnerability-lab/

 

EOF S. Robertz, C. Hager, S. Schweighofer / @2026

 

Interested to work with the experts of SEC Consult? Send us your application.
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices.
 

Back