DSA-2025-08-01

Post-Authentication Vulnerabilities - OS Command Injection RCE and Nginx Configuration Injection in Danfoss AK-SM8xxA Series,

Advisory Information

Advisory ID: DSA-2025-08-01

• CVE numbers and CVSS scores
  • CVE-2025-41451
    Base Score: 8.7 (HIGH)
  • CVE-2025-41452
    Base Score: 6.8 (MEDIUM)

Summary

Post-Authentication Vulnerabilities - OS Command Injection RCE and Nginx Configuration Injection in Danfoss AK-SM8xxA Series.These vulnerabilities should be considered serious and could lead to the compromise of the system. Install the latest patch with number 4.3.1 to remediate these vulnerabilities..

Affected products and services

• Danfoss AK-SM 8xxA Series prior to version 4.3.1

Vulnerability description

CVE-2025-41451 - Improper neutralization of alarm-to-mail configuration fields used in an OS shell Command ('Command Injection') in Danfoss AK-SM8xxA Series prior to version 4.3.1, leading to a potential post-authenticated remote code execution on an attacked system.
Problem Type: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

CVE-2025-41452 - Post-authenticated external control of system web interface configuration setting vulnerability in Danfoss AK-SM8xxA Series prior to 4.3.1, which could allow for a denial of service attack induced by improper handling of exceptional conditions.

Problem Type: CWE-15: CWE-15: External Control of System or Configuration Setting

Remediations

• Install the latest software version through AK-SM 8xxA Series | Danfoss.

Mitigations

• N/A

Credits (if opted in)

1. Tomer Goldschmidt (Claroty Team82)

Other reference

• https://www.danfoss.com/en/service-and-support/downloads/dcs/adap-kool-software/ak-sm-800a/#tab-overview

Update log

• 01 August, 2025: Publication