CVE-2025-41744 PUBLISHED

Sprecher Automation: SPRECON-E series has static default key material for TLS connections

Assigner: CERTVDE
Reserved: 16.04.2025 Published: 02.12.2025 Updated: 02.12.2025

Sprecher Automations SPRECON-E series uses default cryptographic keys that allow an unprivileged remote attacker to access all encrypted communications, thereby compromising confidentiality and integrity.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS Score: 9.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Sprecher Automation
Product	SPRECON-E-C
Versions	Default: unaffected Version * is affected

Vendor	Sprecher Automation
Product	SPRECON-E-P
Versions	Default: unaffected Version * is affected

Vendor	Sprecher Automation
Product	SPRECON-E-T3
Versions	Default: unaffected Version * is affected

Credits

Sec-Consult Security Labs reporter

References

https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511043_de.pdf

Problem Types

CWE-1394 Use of Default Cryptographic Key CWE