CVE-2025-41709 PUBLISHED

Command injection in power analyzer via Modbus-TCP and Modbus-RTU

Assigner: CERTVDE
Reserved: 16.04.2025 Published: 10.03.2026 Updated: 10.03.2026

[PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Product Status

Vendor Janitza
Product UMG 96RM-E 24V(5222063)
Versions Default: unaffected
  • affected from 0.0 to 3.13 (incl.)
Vendor Janitza
Product UMG 96RM-E 230V(5222062)
Versions Default: unaffected
  • affected from 0.0 to 3.13 (incl.)
Vendor Weidmueller
Product ENERGY METER 750-230 (2540910000)
Versions Default: unaffected
  • affected from 0.0 to 3.13 (incl.)
Vendor Weidmueller
Product ENERGY METER 750-24 (2540900000)
Versions Default: unaffected
  • affected from 0.0 to 3.13 (incl.)

Credits

  • Deutsche Telekom Security (DT Security) reporter

References

Problem Types

  • CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE