Arbitrary file upload in Wattsense Bridge

CVE-2025-26411

An authenticated attacker is able to use the Plugin Manager of the web interface of the Wattsense Bridge devices to upload malicious Python files to the device. This enables an attacker to gain remote root access to the device. An attacker…

Vulnerability class: Unrestricted File Upload

EPSS: 0.003 (50.6th percentile) — read the EPSS interpretation.

Affected products

Wattsense Bridge — versions 0

Weakness classification (CWE)

CWE-434 — Unrestricted Upload of File with Dangerous Type

References

r.sec-consult.com/wattsense (third-party-advisory)
support.wattsense.com/hc/en-150/articles/13366066529437-Release-Notes (release-notes)