CVE-2025-2862 – SaTECH BCU firmware version 2.1.3 uses weak pas... (How to Fix)

Q: What is the severity of CVE-2025-2862?

CVE-2025-2862 has a CVSS score of 7.5 (HIGH). SaTECH BCU firmware version 2.1.3 uses weak password encryption, allowing attackers with system or website access to obtain credentials. This affects organizations using this specific firmware version for building control systems. The vulnerability stems from insufficient cryptographic protection of stored authentication data.

📋 TL;DR

SaTECH BCU firmware version 2.1.3 uses weak password encryption, allowing attackers with system or website access to obtain credentials. This affects organizations using this specific firmware version for building control systems. The vulnerability stems from insufficient cryptographic protection of stored authentication data.

💻 Affected Systems

Products:

SaTECH BCU

Versions: Firmware version 2.1.3

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with firmware 2.1.3 are vulnerable regardless of configuration.

📦 What is this software?

Satech Bcu Firmware by Arteche

View all CVEs affecting Satech Bcu Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of building control systems leading to unauthorized access, manipulation of environmental controls, or disruption of critical infrastructure operations.

🟠

Likely Case

Credential theft enabling unauthorized access to building management interfaces, potentially allowing surveillance or minor system manipulation.

🟢

If Mitigated

Limited impact if strong network segmentation and access controls prevent attackers from reaching vulnerable systems.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires access to the device's system or website to extract and decrypt credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor for updated firmware

Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-arteches-satech-bcu

Restart Required: No

Instructions:

1. Contact SaTECH/Arteche for firmware update. 2. Download updated firmware. 3. Apply update following vendor instructions. 4. Verify encryption strength post-update.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate BCU systems from untrusted networks to limit attack surface

Access Control Hardening

all

Implement strict access controls and monitoring for BCU management interfaces

🧯 If You Can't Patch

Implement network-level encryption (VPN/IPsec) for all BCU communications
Deploy credential monitoring and alerting for suspicious access patterns

🔍 How to Verify

Check if Vulnerable:

Check firmware version in device management interface or via vendor documentation

Check Version:

Check device web interface or vendor-specific CLI commands

Verify Fix Applied:

Verify firmware version is updated and test credential storage encryption strength

📡 Detection & Monitoring

Log Indicators:

Unusual authentication attempts
Multiple failed login attempts followed by successful access
Credential extraction patterns

Network Indicators:

Unusual traffic to BCU management interfaces
Credential dumping attempts

SIEM Query:

source="bcu_logs" AND (event_type="authentication" OR event_type="credential_access")

📊 Metadata

CVE ID: CVE-2025-2862

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-261

EPSS Score: 0.12% exploit probability (30.9th percentile)

Published: March 28, 2025

Last Updated: October 15, 2025

🔗 References

https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-arteches-satech-bcu Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2862, you might also want to check these: