CVE-2025-48862
CVE-2025-48862
In short
The ctrlX OS setup tool's interface misleads users into thinking their backup files are fully encrypted when they set a password, but only the private key inside is encrypted—the rest of the backup data remains unprotected and exposed.
Technical detail
A UI clarity issue in ctrlX OS backup mechanism creates a false sense of security; while password entry suggests full-file encryption, only embedded private keys are encrypted via CWE-311 (missing encryption), leaving sensitive backup contents readable. An attacker with access to the backup file can extract unencrypted data despite password configuration.
Summary generated and translated by AI from the official description.
Ambiguous wording in the web interface of the ctrlX OS setup mechanism could lead the user to believe that the backup file is encrypted when a password is set. However, only the private key - if available in the backup - is encrypted, while the backup file itself remains unencrypted.
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Affected products
Bosch Rexroth AG · ctrlX OS - SetupWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →