CVE-2025-26411

CVE-2025-26411: Authenticated Arbitrary Python File Upload via Plugin Manager

Vendor Wattsense

Product Wattsense Bridge

Weakness CWE-434 · Unrestricted file upload

Published February 11, 2025

Last update November 3, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

An authenticated attacker is able to use the Plugin Manager of the web interface of the Wattsense Bridge devices to upload malicious Python files to the device. This enables an attacker to gain remote root access to the device. An attacker needs a valid user account on the Wattsense web interface to be able to conduct this attack. This issue is fixed in recent firmware versions BSP >= 6.1.0.

Key dates

Disclosure timeline

February 11, 2025 CVE published

November 3, 2025 Record updated