TL;DR Four new vulnerabilities in the Revolution Pi industrial PLCs Two give unauthenticated attackers RCE—potentially a direct impact on safety and operations Documentation and firmware is public, meaning greater oversight and better security in the long run KUNBUS’ PSIRT and CISA were great at coordinating disclosure Introduction The Revolution Pi is a programmable logic controller (PLC) made by KUNBUS Gmbh. PLCs are ruggedised devices sitting near the lowest layer of an industrial network. They use simple I/O and fieldbus protocols to control field devices (valves, actuators, etc.) and monitor processes. The Revolution Pi is unique in that the documentation is public and KUNBUS encourage OS-level customisation. The firmware is also publicly accessible. We found four vulnerabilities by downloading and extracting Revolution Pi’s latest firmware version (01/2025). We didn’t even need to buy the device, although one would look great on our ICS demo rig! All were found with static code analysis but demonstrated by installing the firmware to a standard Raspberry Pi. Three concerned PiCtory, a bespoke interface for configuring the Revolution Pi’s digital I/O and expansion modules: The fourth was an insecure default configuration of Node-RED, a flow-based visual programming interface for controlling the I/O. CISA and KUNBUS have released official advisories: ICSA-25-121-01 Kunbus-2025-0000001 Kunbus-2025-0000002 Attack paths Several high-impact attack paths are possible as…Read More