## https://sploitus.com/exploit?id=PACKETSTORM:223999
SEC Consult Vulnerability Lab Security Advisory < 20260617-0 >
=======================================================================
title: Multiple Critical Vulnerabilities
product: Sprecher Automation SPRECON-E-C/-E-P/-E-T3
vulnerable version: See vulnerable versions below
fixed version: See solution section below
CVE number: CVE-2022-4333, CVE-2022-4332, CVE-2025-41741,
CVE-2025-41742, CVE-2025-41743, CVE-2025-41744
impact: critical
homepage:https://www.sprecher-automation.com/
found: 2022-08-26
by: Steffen Robertz
Christian Hager (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Atos business
Europe | Asia
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Sprecher Automation provides products and solutions for power supply
and process automation. We secure critical infrastructures and optimise
complex energy and industry processes. [...]
Quality, availability and security – those are not only our customers's
requirements, but also goals we are striving for. Due to that, for example,
the hard- and software development are located in Austria and Germany.
We produce exclusively in Austria – starting with the production of
single elements, to system checks and practical inhouse testing."
Source:https://www.sprecher-automation.com/en/company
Business recommendation:
------------------------
The vendor provides updated versions as well as workaround information in
their security advisories. Users should verify whether the patches are
installed already, otherwise patch immediately.
SEC Consult highly recommends to perform a thorough security review of
the product conducted by security professionals to identify and resolve
potential further security issues.
Vulnerability overview/description:
-----------------------------------
1) Leak of Firmware Signing Private Key (CVE-2025-41741)
Sprecher signs its firmware update files to prevent an attacker from
loading manipulated update files. However, each PLC contains the
globally valid private signing key, as it is also used to sign backups.
An attacker, who obtains the key is able to ship validly signed,
modified firmware updates.
The security vulnerability has been resolved in firmware version 9 and
above. Further details can be found in the advisory of the vendor. In
previous versions the affected feature can be deactivated by the customer.
The stated key can only be used in conjunction with the backup feature.
Affected products: SPRECON-E-C/-E-P/-E CPU Modul
2) Missing Secure-Boot Mechanism (CVE-2022-4332)
The PLC is able to detect secure boot violations correctly. However,
the events are not handled properly. They only output a warning to the
boot log, but do not prevent the device's operation. Thus, anybody with
physical access to the device can modify the firmware and potentially
include backdoors.
The security vulnerability has been resolved in firmware version 8.71a and
above, as well as 8.64m. Further details can be found in the advisory
of the vendor. In current and previous versions the affected feature can be
deactivated by the customer.
Affected products: SPRECON-E-C/-E-P/-E
3) Unencrypted External Flash Memory (CVE-2022-4332)
The external flash memory can be dumped using tools such as the Xgecu
T56. This allows an attacker with physical access to read all files and
thus gain knowledge about sensitive files such as passwords and private
keys.
The security vulnerability has been resolved in firmware version 9 and above.
Further details can be found in the advisory of the vendor. In current and
previous versions the affected feature can be deactivated by the customer.
Affected products: SPRECON-E-C/-E-P/-E-T3
4) Usage of static passwords (CVE-2025-41742)
Various static passwords / key material can be discovered in the firmware.
They serve different use cases, such as hard-coded user accounts, as well as
encryption for settings and configuration files. This allows an attacker
to decrypt configuration files, modify them and properly encrypt them
again.
According to the vendor, the documented static identity string does not serve
a security purpose in the system and is used as an identifier for maintenance.
Using the default identifier can lead to the targeted system being misidentified
during maintenance.
Affected products: SPRECON-E-C/-E-P/-E-T3
5) Hard-coded Vendor Accounts (CVE-2022-4333)
Two hard-coded vendor accounts were revealed in the devices. These
accounts are shipped with every update file and can be used by the
vendor e.g. for support access.
These documented accounts can be activated or deactivated in the configuration.
These accounts are additionally secured with 2FA in firmware version 8.71g.
Affected products: SPRECON-E-C/-E-P/-E-T3
6) Decrypt Firmware Update Files (CVE-2025-41743)
Firmware update files include hard-coded accounts from vulnerability 5 and
can be decrypted using an XOR algorithm and a static password. This
allows an attacker to further analyze PLC components as well as gaining
knowledge of private keys and hard-coded accounts without requiring
physical access to any device.
The signature and encryption mechanism have been modified and the security
vulnerability has been resolved in version 8.71 and above. Further details
can be found in the advisory of the vendor.
Affected products: SPRECON-E-C/-E-P/-E-T3
7) Insecure Transport Encryption (CVE-2025-41744)
The PLC's webserver and the connection to the Sprecher Engineering Center
software use the same static default key on all devices. An attacker who gains
access to the private key via vulnerability 3 or 6 can thus decrypt all
traffic in a man-in-the-middle position. Thus, an attacker would be
able to change configurations and read connection passwords.
According to the vendor, those certificates are only used during initial
commissioning and users can find further information to change the certificates
in the documentation/guideline "SPRECON Grundhärtung" (basic hardening).
The vendor's hardening guide makes it clear that it is both possible and
recommended to change the default certificate.
Documentation: 94.2.913.50en SPRECON Basic Hardening
Proof of concept:
-----------------
1) Leak of Firmware Signing Private Key (CVE-2025-41741)
Backups are restored by the same command flow as regular update files.
Thus, backups need to be validly signed as well. For this, Sprecher's
private key is required. The following openssl command signs the
created backup:
```
openssl dgst -sha256 -sign ${SSM_CERT}/.backup.key -passinfile:${SSM_CERT}/.pass -out
${SSM_SECURE_DIR}/image.sha256 ${SSM_SECURE_DIR}/image.zip 2>/dev/null
```
The private key and password are both stored in the same filesystem and
can be obtained via the decrypted firmware update file (vulnerability 6)
or the unencrypted flash memory (vulnerability 3).
2) Missing Secure-Boot Mechanism (CVE-2022-4332)
The main SoC of the SPRECON E-C-94 is an i.MX6. The board does not fully
enable High-Assurance Boot (HAB). Thus, the firmware and bootloader can
be modified. The modification is detected, however, since secure boot is
not fully enabled, the violation will not be handled. The following boot
log can be seen on the device's service connector (X6). The first
bootline was manipulated to include the string "SECTEST".
```
REL_UBOOT_SECTEST_2015_07_RC7 SPL (Mar 11 2022 - 10:55:26)
Booting from SPI
Image Entry Point: 0x17800000
Image Load Address: 0x177FFFC0
Image Size: 0x48000
Authenticate image from DDR location 0x177fffc0...
Authenticated Image Size = 0x46000
Load Addr = 0x17800000
HAB not enabled
U-Boot Authentication Successful
[...]
Authenticate image from DDR location 0x12000000...
Authenticated Image Size = 0x7bc000
HAB not enabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
[...]
zImage Authentication Successful
```
3) Unencrypted External Flash Memory (CVE-2022-4332)
The main memory is a BGA153 eMMC flash memory. Thus, it can be read by
multiple tools such as the Xgecu T56. By dumping its contents, an
attacker can extract password hashes from the `/etc/passwd` or
`/etc/shadow` file and gain access to the private key from
vulnerability 1.
4) Usage of static passwords (CVE-2025-41742)
4.1) Static Passwords in Sprecher Engineering Studio
Two different passwords can be used to call an internal function.
This can be seen in following code snippet:
```
iVar3 = _strcmp(local_28,"**redacted**");
if (((iVar3 == 0) || (iVar3 = _strcmp(local_28,"**redacted**"), iVar3 == 0)) ||(iVar3 = _strcmp(local_28,"**redacted**"), iVar3 == 0)) {
FUN_10001780(local_28,0x20,"XXX");
}
```
Unfortunately, we were not able to fully determine the use case of
these credentials.
4.2) Static Passwords in Sprecher Engineering Studio Configuration files
When exporting configurations from the Engineering Studio, a .sprXecz
file will be created. It is encrypted using a static password.
4.3) Webserver Settings Export
The webserver exports its settings as .jzp file. However, this
is just a renamed .zip file which uses a static password.
4.4) OpenVPN and IPSEC Settings Export/Import
OpenVPN profiles and IPSEC settings are exported/imported as
zip files. They are encrypted with a static password.
5) Hard-coded Vendor Accounts (CVE-2022-4333)
The `/etc/passwd` file and `/etc/shadow` file reveal hard-coded password
hashes for the "sprecon" and "spradm" accounts. These accounts are shipped
with the update files (tested with official downloadable version 8.71) and
there seems to be no option for deleting or changing their passwords.
The usability of the accounts is configurable via the configuration.
Details to deactivate the accounts are included in the hardening guidelines.
6) Decrypt Firmware Update Files (CVE-2025-41743)
SPRECON firmware update files are encrypted. However, they use XOR magic
and static passwords as encryption method. Due to limited time, we did
not reverse engineer the XOR algorithm and instead ran the decoding
binaries using QEMU. First, the fwimaker binary was run to create a
regular zip file from the XORed .fwi file by running the following
command:
```
qemu-arm -L /usr/arm-linux-gnueabihf ./fwimaker x sce_P9pu244_sc_864l_crypt.fwi extracted.zip
```
Afterwards the ZIP file can be decompressed and decrypted.
An attacker is now able to read the static password hashes and
further analyze components of the PLC.
According to the vendor, manipulated firmware update files cannot be
flashed anymore, due to the usage of firmware signing.
7) Insecure Transport Encryption (CVE-2025-41744)
The file `/etc/rbac/default.pem` contains a private key which is used
for the HTTPS encryption of the webserver. Further, the same key is used
to encrypt the communication with the Sprecher Engineering Studio.
An attacker can use vulnerability 3 or 6 to obtain the private key
and can then decrypt communication in a man-in-the-middle position.
The certificate has following fingerprint:
```
E9:AF:F4:F1:90:83:3C:5B:0B:E2:DF:E1:DF:31:69:B5:C1:EC:90:52
```
One device using the same certificate was discovered on the internet.
According to the vendor, those certificates are only used during initial
commissioning and users can find further information to change the certificates
in the documentation/guideline "SPRECON Grundhärtung" (basic hardening).
The vendor's hardening guide makes it clear that it is both possible and
recommended to change the default certificate of the vendor.
Vulnerable / tested versions:
-----------------------------
The following firmware version & product has been tested where the vulnerabilites
have been identified:
* Leittechnik Firmware: 8.6.4i on SPRECON E-C-94
According to the vendor, the following products and firmware versions are affected:
Issue 1 - CVE-2025-41741) SPRECON-E-C/-E-P/-E CPU Module Version Amsel - PU245 and Falcon - PU244 in firmware version < v9.0
Issue 2 & 3 - CVE-2022-4332) SPRECON-E-C/-E-P/-E-T3 (variant PU244x), SPRECON-V460 - firmware <v8.71a (except 8.64m)
Issue 4 - CVE-2025-41742) SPRECON-E-C/-E-P/-E-T3
Issue 5 - CVE-2022-4333) SPRECON-E-C/-E-P/-E-T3 (variants PU243x, PU244x, MC33/34, SPRECON-EDIR), SPRECON-V460
Issue 6 - CVE-2025-41743) SPRECON-E-C/-E-P/-E-T3 in firmware versions <v9.0
Issue 7 - CVE-2025-41744) SPRECON-E-C/-E-P/-E-T3
Vendor contact timeline:
------------------------
Our vulnerabilities were identified in August 2022 where a third party directly
submitted the vulnerabilities to the vendor. We took over the coordination
in November 2023 again also because a vulnerability verification/recheck was
planned.
2023-11-23: Contacting vendor through SPRECON contact form on website
(https://www.sprecher-automation.com/anfrage-sprecon)
2023-11-24: Vendor responds that vulnerabilities have not been assigned to separate
advisories. The vulnerabilities have not yet been fixed as a new
security subsystem needs to be implemented. First fixes are scheduled
for end of Q1/2024 but maintenance releases have been rolled out
to migitate some issues. A full fix is planned for the major product
version and afterwards CVEs and details will be published in accordance
with E-CERT and BSI.
2024-10-30: Requesting status update of responsible disclosure.
2024-10-31: Sprecher did not yet receive the results of the recheck. Sprecher will
clarify the internal state of the responsible disclosure process.
Our contact person is not directly working at Sprecher anymore but as a
contractor.
2024-12-05: Requesting status update again and a contact at Sprecher.
2024-12-09: No firmware updates for all devices yet. No specific timeline yet,
estimated for Q1 2025.
2025-02-10: Requested status update.
2025-03-18: Requested update as the current state of patches is unclear, informing
vendor that our contact person has changed as well. No response.
2025-05-19: Requested status update. No response.
2025-07-10: Requested update.
2025-07-14: Sprecher responds that the security contact for our advisory changed and
we should contact another person (who was in CC all the communication
attempts before).
2025-07-16: Sprecher wants to schedule a short meeting to discuss the current status.
2025-07-18: Exchanging several date suggestions for the meeting.
2025-08-20: Meeting with Sprecher and providing the current state of the advisory.
2025-09-22: Submitting another (different) security advisory to Sprecher.
2025-09-23: Meeting with Sprecher regarding the current state of the vulnerabilities.
Scheduling follow-up meeting for 7th October.
2025-10-07: Sprecher cancelled planned meeting on short notice. Our CNA shortly phoned
with Sprecher. Setup a new meeting and communicated that a normal responsible
disclosure timeline is 3 months.
2025-10-13: Meeting with Sprecher and our CNA and agreeing on a mutual timeline
regarding the advisory release. Sprecher will give feedback regarding CVE
assignment, provided CVE-2022-4332 and CVE-2022-4333. Vendor will provide
information regarding vulnerability 4 until 2025-10-17.
SEC Consult removes sensitive information from advisory and that manipulated
images cannot be exploited (issue 6) and that the vendor recommends changing
certificates (issue 7).
The vendor blog post will be released on 24th October and our publication is
then planned for 27th October.
Sending the current state of the advisory again.
2025-10-15: Asking whether Sprecher received our encrypted email, asking for confirmation.
No response from the vendor.
2025-10-17: Preparing the release of the advisory.
Sending the final draft of the advisory to Sprecher with a target
release date on the 2025-10-27.
Contacting CERT@VDE regarding CVE-2022-4332 + CVE-2022-4333.
2025-10-20: Vendor responds that our draft advisory is incorrect, contains already
published (from their side) CVEs and requests further coordination for
responsible disclosure.
2025-10-21: Contacting CERT@VDE regarding potential support.
2025-10-22: CERT@VDE cannot support our case as Sprecher is not a partner.
2025-10-23: Adjusted timeline again and submitted draft advisory to Sprecher. Asking
for a meeting.
2025-11-05: Meeting with vendor, discussing vulnerabilities & next steps, vendor will
provide further information as well as feedback to our advisory.
2025-11-05: Vendor provides CVE numbers and links to their advisories.
2025-11-06: Adjusting advisory with feedback of vendor and CVE numbers etc., submitting
latest draft version to vendor again.
2025-11-19: Asking the vendor for a status update & feedback.
2025-12-02: Vendor responds with adjusted advisory feedback.
2025-12-15: Informing vendor about internal delays on our side regarding publication.
2026-06-11: Sending adjusted advisory to vendor & proposed publication date (17th June).
2026-06-17: Public release of security advisory.
Solution:
---------
The vendor provides relevant updates and/or workarounds for the specific issues
in their own advisories:
(PDFs in German)
Issue 1 - CVE-2025-41741) SPR-2511041 -https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511041_de.pdf
Issue 2 & 3 - CVE-2022-4332) 2022-12 -https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/2022-12_Advisories.pdf
Issue 4 - CVE-2025-41742) SPR-2511042 -https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511042_de.pdf
Issue 5 - CVE-2022-4333) 2022-12 -https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/2022-12_Advisories.pdf
Issue 6 - CVE-2025-41743) SPR-2511043 -https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511043_de.pdf
Issue 7 - CVE-2025-41744) SPR-2511044 -https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511044_de.pdf
Workaround:
-----------
See vendor advisories for the specific workarounds and mitigations.
Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult, an Atos business
Europe | Asia
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos company. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your applicationhttps://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local officeshttps://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: security-research at sec-consult dot com
Web:https://www.sec-consult.com
Blog:https://blog.sec-consult.com
X:https://x.com/sec_consult
EOF S. Robertz, C. Hager, S. Schweighofer / @2026