CVE-2025-9495

Published: Sep 23, 2025

Modified: Sep 23, 2025

PUBLISHED

Description

The Vitogate 300 web interface fails to enforce proper server-side authentication and relies on frontend-based authentication controls. This allows an attacker to simply modify HTML elements in the browser’s developer tools to bypass login restrictions. By removing specific UI elements, an attacker can reveal the hidden administration menu, giving them full control over the device.

Vendor	Product	Versions
Viessmann	Vitogate 300	affected `1 - < 3.0.0.0`

Weaknesses (CWE)

CWE-602

References

https://https://www.corporate.carrier.com/product-security/advisories-resources/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-9495

Description

Affected Products

Weaknesses (CWE)

References