CVE-2025-6225
📋 TL;DR
CVE-2025-6225 is a shell command injection vulnerability in Kieback&Peter Neutrino-GLT building management system's SM70 PHWEB web component. Attackers can execute arbitrary commands via the login form, though with limited privileges. This affects organizations using this building automation system.
💻 Affected Systems
- Kieback&Peter Neutrino-GLT with SM70 PHWEB web component
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain initial foothold on building management system, pivot to other systems, disrupt building operations, or deploy ransomware.
Likely Case
Attackers execute reconnaissance commands, steal configuration data, or disrupt specific building management functions.
If Mitigated
Limited impact due to low privilege execution, but still provides foothold for further attacks.
🎯 Exploit Status
Exploitation via login form suggests straightforward injection; no authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.40.02
Vendor Advisory: https://cert.pl/en/posts/2026/01/CVE-2025-6225/
Restart Required: Yes
Instructions:
1. Contact Kieback&Peter for version 9.40.02. 2. Backup configuration. 3. Apply update following vendor instructions. 4. Restart system. 5. Verify functionality.
🔧 Temporary Workarounds
Network Segmentation
allIsolate building management system from other networks
Access Control
allRestrict web interface access to authorized IPs only
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the system
- Deploy web application firewall with command injection rules
🔍 How to Verify
Check if Vulnerable:
Check SM70 PHWEB version via web interface or system documentation; versions before 9.40.02 are vulnerable.Check Version:
Check via web interface or vendor-specific management toolsVerify Fix Applied:
Confirm version is 9.40.02 or later via system interface or documentation.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in system logs
- Multiple failed login attempts with special characters
- Unexpected process creation
Network Indicators:
- HTTP requests to login endpoint with shell metacharacters
- Outbound connections from building management system to unexpected destinations
SIEM Query:
source="building_mgmt" AND (url="*login*" AND (content="*;*" OR content="*|*" OR content="*`*"))