CVE-2025-35996
📋 TL;DR
KUNBUS PiCtory versions 2.11.1 and earlier contain a stored cross-site scripting (XSS) vulnerability where authenticated attackers can upload specially crafted filenames that execute malicious JavaScript when viewed by other users. This allows attackers to steal session cookies, perform actions as victims, or redirect users to malicious sites. Organizations using PiCtory for industrial control system configuration are affected.
💻 Affected Systems
- KUNBUS PiCtory
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full administrative control over PiCtory system, steals credentials, deploys ransomware to connected industrial devices, or causes physical damage to industrial processes.
Likely Case
Attacker steals session cookies to hijack authenticated sessions, performs unauthorized configuration changes, or deploys malware to connected devices.
If Mitigated
Limited to authenticated user compromise within the PiCtory interface, with network segmentation preventing lateral movement to critical systems.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once authenticated. Stored XSS payloads persist until cleaned.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.11.2 or later
Vendor Advisory: http://packages.revolutionpi.de/pool/main/p/pictory/
Restart Required: Yes
Instructions:
1. Backup current PiCtory configurations. 2. Update PiCtory package using apt: 'sudo apt update && sudo apt upgrade pictory'. 3. Restart PiCtory service: 'sudo systemctl restart pictory'. 4. Verify version is 2.11.2 or higher.
🔧 Temporary Workarounds
Input Validation Web Application Firewall
allDeploy WAF rules to block filenames containing HTML/JavaScript tags
Restrict File Upload API
linuxBlock or monitor API endpoints that accept filename uploads
sudo iptables -A INPUT -p tcp --dport [API_PORT] -m string --string "filename=" --algo bm -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate PiCtory systems from critical OT networks
- Enforce strong authentication and session management with short timeouts and MFA
🔍 How to Verify
Check if Vulnerable:
Check PiCtory version: 'dpkg -l | grep pictory'. If version is 2.11.1 or lower, system is vulnerable.Check Version:
dpkg -l | grep pictoryVerify Fix Applied:
After update, verify version is 2.11.2 or higher: 'dpkg -l | grep pictory'. Test by attempting to upload filename with script tags - should be rejected or sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual filename uploads containing <script> tags in PiCtory logs
- Multiple failed authentication attempts followed by successful login
Network Indicators:
- HTTP POST requests to file upload API endpoints with suspicious payloads
- Outbound connections from PiCtory system to unknown external IPs
SIEM Query:
source="pictory.log" AND ("filename" AND ("<script>" OR "javascript:" OR "onerror="))