CVE-2025-41452 - Vulnerability Details - OpenCVE

Post-authenticated external control of system web interface configuration setting vulnerability in Danfoss AK-SM8xxA Series prior to 4.3.1, which could allow for a denial of service attack induced by improper handling of exceptional conditions

Attack Vector Network

Attack Complexity High

Privileges Required High

Attack Requirements Present

User Interaction Active

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Danfoss	Ak-sm8xxa Series

No data.

No data.

References

Link	Providers
https://www.danfoss.com/en/service-and-support/downloads/dcs/adap-kool-software/ak-sm-800a/#tab-overview

History

Sun, 24 Aug 2025 22:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Danfoss Danfoss ak-sm8xxa Series
Vendors & Products		Danfoss Danfoss ak-sm8xxa Series

Fri, 22 Aug 2025 11:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 22 Aug 2025 03:00:00 +0000

Type	Values Removed	Values Added
Description		Post-authenticated external control of system web interface configuration setting vulnerability in Danfoss AK-SM8xxA Series prior to 4.3.1, which could allow for a denial of service attack induced by improper handling of exceptional conditions
Title		Post auth nginx configuration injection in Danfoss AK-SM8xxA Series
Weaknesses		CWE-15
References		https://www.danfoss.com/en/service-and-support/downloads/dcs/adap-kool-software/ak-sm-800a/#tab-overview
Metrics		cvssV4_0 `{'score': 6.8, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H'}`

MITRE

Status: PUBLISHED

Assigner: Danfoss

Published: 2025-08-22T02:40:53.563Z

Updated: 2025-08-22T10:52:36.122Z

Reserved: 2025-04-16T10:32:42.818Z

Link: CVE-2025-41452

Vulnrichment

Updated: 2025-08-22T10:52:29.432Z

NVD

Status : Awaiting Analysis

Published: 2025-08-22T03:15:30.207

Modified: 2025-08-22T18:08:51.663

Link: CVE-2025-41452

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-41452", "assignerOrgId": "d7ff35af-cf88-454c-bab9-af60602f10f8", "state": "PUBLISHED", "assignerShortName": "Danfoss", "dateReserved": "2025-04-16T10:32:42.818Z", "datePublished": "2025-08-22T02:40:53.563Z", "dateUpdated": "2025-08-22T10:52:36.122Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "AK-SM8xxA Series", "vendor": "Danfoss", "versions": [{"lessThan": "4.3.1", "status": "affected", "version": "0", "versionType": "cpe"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Post-authenticated external control of system web interface configuration setting vulnerability in Danfoss AK-SM8xxA Series prior to 4.3.1, which could allow for a denial of service attack induced by improper handling of exceptional conditions"}], "value": "Post-authenticated external control of system web interface configuration setting vulnerability in Danfoss AK-SM8xxA Series prior to 4.3.1, which\u00a0could allow for a denial of service attack induced by improper handling of exceptional conditions"}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 6.8, "baseSeverity": "MEDIUM", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-15", "description": "CWE-15: External Control of System or Configuration Setting", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "d7ff35af-cf88-454c-bab9-af60602f10f8", "shortName": "Danfoss", "dateUpdated": "2025-08-22T02:40:53.563Z"}, "references": [{"url": "https://www.danfoss.com/en/service-and-support/downloads/dcs/adap-kool-software/ak-sm-800a/#tab-overview"}], "source": {"discovery": "EXTERNAL"}, "title": "Post auth nginx configuration injection in Danfoss AK-SM8xxA Series", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-22T10:52:01.090719Z", "id": "CVE-2025-41452", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-22T10:52:36.122Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-41452", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-22T10:52:01.090719Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-22T10:52:29.432Z"}}], "cna": {"title": "Post auth nginx configuration injection in Danfoss AK-SM8xxA Series", "source": {"discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Danfoss", "product": "AK-SM8xxA Series", "versions": [{"status": "affected", "version": "0", "lessThan": "4.3.1", "versionType": "cpe"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.danfoss.com/en/service-and-support/downloads/dcs/adap-kool-software/ak-sm-800a/#tab-overview"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Post-authenticated external control of system web interface configuration setting vulnerability in Danfoss AK-SM8xxA Series prior to 4.3.1, which\u00a0could allow for a denial of service attack induced by improper handling of exceptional conditions", "supportingMedia": [{"type": "text/html", "value": "Post-authenticated external control of system web interface configuration setting vulnerability in Danfoss AK-SM8xxA Series prior to 4.3.1, which could allow for a denial of service attack induced by improper handling of exceptional conditions", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-15", "description": "CWE-15: External Control of System or Configuration Setting"}]}], "providerMetadata": {"orgId": "d7ff35af-cf88-454c-bab9-af60602f10f8", "shortName": "Danfoss", "dateUpdated": "2025-08-22T02:40:53.563Z"}}}, "cveMetadata": {"cveId": "CVE-2025-41452", "state": "PUBLISHED", "dateUpdated": "2025-08-22T10:52:36.122Z", "dateReserved": "2025-04-16T10:32:42.818Z", "assignerOrgId": "d7ff35af-cf88-454c-bab9-af60602f10f8", "datePublished": "2025-08-22T02:40:53.563Z", "assignerShortName": "Danfoss"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Post-authenticated external control of system web interface configuration setting vulnerability in Danfoss AK-SM8xxA Series prior to 4.3.1, which\u00a0could allow for a denial of service attack induced by improper handling of exceptional conditions"}, {"lang": "es", "value": "Vulnerabilidad en la configuraci\u00f3n de la interfaz web del sistema de control externo autenticado posteriormente en Danfoss AK-SM8xxA Series anterior a la versi\u00f3n 4.3.1, que podr\u00eda permitir un ataque de denegaci\u00f3n de servicio inducido por un manejo inadecuado de condiciones excepcionales"}], "id": "CVE-2025-41452", "lastModified": "2025-08-22T18:08:51.663", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "d7ff35af-cf88-454c-bab9-af60602f10f8", "type": "Secondary"}]}, "published": "2025-08-22T03:15:30.207", "references": [{"source": "d7ff35af-cf88-454c-bab9-af60602f10f8", "url": "https://www.danfoss.com/en/service-and-support/downloads/dcs/adap-kool-software/ak-sm-800a/#tab-overview"}], "sourceIdentifier": "d7ff35af-cf88-454c-bab9-af60602f10f8", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-15"}], "source": "d7ff35af-cf88-454c-bab9-af60602f10f8", "type": "Secondary"}]}