A critical authentication bypass vulnerability in IndustrialPI products allows an unauthenticated remote attacker to gain full administrative control, leading to complete system compromise.

An unauthenticated remote attacker can bypass the login mechanism of the web application. Successful exploitation grants the attacker the ability to access and modify all available system settings without requiring any credentials.

Exploitation of this vulnerability could lead to a complete compromise of the affected industrial systems. An attacker could alter critical operational settings, exfiltrate sensitive data, or cause significant system downtime. The assigned CVSS score of 9.8 (Critical) underscores the extreme severity, reflecting the potential for total loss of confidentiality, integrity, and availability.

Immediate Action: Administrators must immediately update all affected IndustrialPI devices to the latest available version as per the vendor's guidance to patch this vulnerability.

Proactive Monitoring: Review web application and system access logs for any unauthorized configuration changes or suspicious login bypass attempts.

Compensating Controls: Implement a Web Application Firewall (WAF) with rules designed to block authentication bypass attempts and restrict network access to the device's management interface to trusted IP addresses only.

Public Exploit Available: No

Given the critical nature of this authentication bypass vulnerability, immediate action is required. We strongly recommend that all administrators prioritize the deployment of the vendor-supplied update without delay. Postponing this action exposes critical industrial systems to a high risk of complete and unauthorized takeover.