A critical unauthenticated remote code execution vulnerability in Multiple Products utilizing the Node_RED server allows an attacker to gain complete control of affected systems.**

An unauthenticated remote attacker can execute arbitrary commands with high privileges on affected devices. This flaw exists because the embedded Node_RED server does not have authentication configured by default, exposing administrative functions to any remote user.

A successful exploit would allow an attacker to achieve full system compromise, leading to data theft, service disruption, or the deployment of additional malware such as ransomware. The CVSS score of 10.0 (Critical) reflects the maximum possible impact, as the vulnerability is remotely exploitable without authentication and grants high-level privileges, posing a severe risk to the confidentiality, integrity, and availability of the affected systems.

Immediate Action: Administrators must update all affected products to the latest patched version immediately. If a patch is not yet available, enable authentication on the Node_RED server instance as a primary mitigation step.

Proactive Monitoring: Review server and application logs for unusual or unauthorized access patterns, particularly any commands executed via the Node_RED interface. Monitor for unexpected outbound network connections from affected devices.

Compensating Controls: Implement a Web Application Firewall (WAF) with rules designed to block unauthorized access to the Node_RED administrative interface and filter malicious command injection payloads.

Public Exploit Available: No

Given the critical severity and the lack of required authentication for exploitation, this vulnerability represents an immediate and significant threat. We strongly recommend that all administrators prioritize applying the vendor-supplied updates or implementing the required authentication configurations without delay to prevent a full system compromise.