CVE-2025-48466: Advantech Wise-4060lan RCE Vulnerability

CVE-2025-48466 Overview

CVE-2025-48466 affects Advantech WISE-4010LAN, WISE-4050LAN, and WISE-4060LAN industrial I/O modules. The vulnerability allows an unauthenticated attacker on the adjacent network to send crafted Modbus TCP packets that manipulate Digital Outputs on the device. Successful exploitation grants remote control over relay channels, creating operational and safety risks in environments where these modules drive physical processes. The weakness maps to [CWE-863] Incorrect Authorization, reflecting the absence of authentication or authorization checks on Modbus write operations. The flaw carries a CVSS v3.1 base score of 8.1 with integrity and availability impact rated high.

Critical Impact
An unauthenticated attacker with adjacent network access can toggle relay outputs on Advantech WISE LAN modules, enabling unauthorized control of connected industrial equipment.

Affected Products

Advantech WISE-4010LAN (firmware, all versions per advisory)
Advantech WISE-4050LAN (firmware, all versions per advisory)
Advantech WISE-4060LAN firmware version 2.02b00

Discovery Timeline

2025-06-24 - CVE-2025-48466 published to NVD
2025-07-09 - Last updated in NVD database

Technical Details for CVE-2025-48466

Vulnerability Analysis

The Advantech WISE-4000 series provides Ethernet-attached I/O modules used in industrial automation. The affected modules expose a Modbus TCP service that accepts function codes for writing Digital Outputs, including Function Code 5 (Write Single Coil) and Function Code 15 (Write Multiple Coils). The service processes these write requests without verifying the identity or privileges of the requester. Any host able to reach the device on the Modbus TCP port can directly change the state of relay channels mapped to the device's Digital Outputs. Because the modules drive physical actuators in many deployments, unauthorized state changes can affect connected equipment, processes, or safety interlocks.

Root Cause

The root cause is missing authorization on Modbus TCP write operations [CWE-863]. The Modbus TCP specification does not define authentication, and the device does not layer access control on top of the protocol. Coil write requests are accepted and executed solely based on network reachability.

Attack Vector

Exploitation requires adjacent network access to the Modbus TCP listener on the device. An attacker constructs a standard Modbus TCP Application Data Unit containing a Write Single Coil or Write Multiple Coils request that targets the coil addresses backing the Digital Outputs. Sending the request to the device causes the targeted relay channel to switch to the attacker-supplied state. A public proof-of-concept is referenced in the GitHub PoC Repository describing the request structure required to drive the outputs.

Detection Methods for CVE-2025-48466

Indicators of Compromise

Unexpected Modbus TCP traffic on port 502 to or from WISE-4010LAN, WISE-4050LAN, or WISE-4060LAN devices originating from hosts outside the engineering workstation allowlist.
Modbus packets carrying Function Code 0x05 (Write Single Coil) or 0x0F (Write Multiple Coils) targeting Digital Output coil addresses on the affected modules.
Unscheduled relay state transitions or Digital Output toggles recorded in SCADA or historian logs.

Detection Strategies

Deploy network sensors that parse Modbus TCP and alert on write-class function codes (0x05, 0x06, 0x0F, 0x10) destined for WISE-4000 series modules.
Baseline normal Modbus client-to-server pairs and alert on new clients issuing write requests to affected device IP addresses.
Correlate physical process anomalies reported by the controller against the Modbus command log to identify unauthorized writes.

Monitoring Recommendations

Forward switch SPAN traffic from the OT segment hosting the WISE modules to an OT-aware IDS such as Zeek with the Modbus analyzer enabled.
Log all connections to TCP port 502 on firewalls separating IT and OT zones, and alert on connections from unauthorized source subnets.
Monitor device-side diagnostic counters and Digital Output state changes for events that do not match an authorized control sequence.

How to Mitigate CVE-2025-48466

Immediate Actions Required

Restrict TCP port 502 on affected WISE-4010LAN, WISE-4050LAN, and WISE-4060LAN modules to a strict allowlist of engineering workstations and PLCs that legitimately issue Modbus writes.
Place the affected modules behind an OT firewall or data diode that blocks Modbus traffic from corporate, guest, and wireless networks.
Inventory all WISE-4000 series modules and identify which Digital Outputs drive safety-relevant or process-critical equipment for prioritized isolation.

Patch Information

No fixed firmware version is referenced in the NVD entry for CVE-2025-48466 at the time of publication. Review the CSA Security Alert and the Advantech support portal for vendor guidance and any subsequent firmware updates beyond 2.02b00.

Workarounds

Terminate Modbus TCP at a protocol-aware gateway that enforces source-based authorization and rejects write function codes from untrusted clients.
Segment the WISE modules into a dedicated VLAN with ACLs permitting only the required control system endpoints to reach port 502.
Where supported, disable unused services on the module and bind the Modbus listener to a management interface that is not reachable from general-purpose networks.

bash

# Example iptables rule on an upstream OT gateway:
# allow Modbus TCP only from the authorized PLC, drop all other inbound port 502 traffic
iptables -A FORWARD -p tcp -s 10.20.30.40 -d 10.20.31.0/24 --dport 502 -j ACCEPT
iptables -A FORWARD -p tcp -d 10.20.31.0/24 --dport 502 -j DROP