CVE-2025-2861
📋 TL;DR
SaTECH BCU firmware version 2.1.3 transmits sensitive data including credentials over unencrypted HTTP, allowing attackers to intercept and use this information for unauthorized access. This affects all systems running the vulnerable firmware version. The vulnerability stems from using HTTP instead of HTTPS for web browsing.
💻 Affected Systems
- SaTECH BCU
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers intercept administrator credentials, gain full control of the BCU device, and potentially compromise connected systems or manipulate industrial processes.
Likely Case
Attackers capture legitimate user credentials and gain unauthorized access to the BCU web interface, potentially modifying configurations or accessing sensitive data.
If Mitigated
With proper network segmentation and monitoring, impact is limited to credential exposure without lateral movement opportunities.
🎯 Exploit Status
Exploitation requires network access to intercept HTTP traffic. No authentication bypass is needed as legitimate credentials are captured.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor for updated firmware with HTTPS support
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-arteches-satech-bcu
Restart Required: No
Instructions:
1. Contact SaTECH/Arteche for updated firmware. 2. Backup current configuration. 3. Apply firmware update. 4. Verify HTTPS is enabled and HTTP is disabled.
🔧 Temporary Workarounds
Network Segmentation and Encryption
allIsolate BCU devices on separate VLANs and implement network-level encryption
Reverse Proxy with HTTPS
allPlace a reverse proxy in front of the BCU that terminates HTTPS connections
🧯 If You Can't Patch
- Isolate the BCU on a dedicated network segment with strict access controls
- Implement network monitoring for suspicious HTTP traffic patterns and credential usage
🔍 How to Verify
Check if Vulnerable:
Check if web interface is accessible via HTTP (http://[device-ip]) and if firmware version is 2.1.3Check Version:
Check device web interface or console for firmware version informationVerify Fix Applied:
Verify web interface only accepts HTTPS connections and HTTP is disabled📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts from new IPs
- Successful logins from unusual locations or times
Network Indicators:
- Unencrypted HTTP traffic to BCU devices
- Credential interception attempts via ARP spoofing or MITM
SIEM Query:
source_ip="BCU_IP" AND protocol="HTTP" AND (uri CONTAINS "login" OR uri CONTAINS "auth")