The CS5000 Fire Panel is vulnerable due to a default account that exists
on the panel. Even though it is possible to change this by SSHing into
the device, it has remained unchanged on every installed system
observed. This account is not root but holds high-level permissions that
could severely impact the device's operation if exploited.
Fixes

Solution

Users wanting enhanced security features are advised to upgrade to Consilium Safety's newer line of fire panels. Specifically, products manufactured after July 1, 2024, incorporate more secure-by-design principles. More product safety information can be found on Consilium Safety's support webpage https://www.consiliumsafety.com/en/support/ .


Workaround

Consilium Safety is aware of these vulnerabilities. Currently, no fixes are planned for the CS5000 Fire Panel. Users wanting enhanced security features are advised to upgrade to Consilium Safety's newer line of fire panels. Specifically, products manufactured after July 1, 2024, incorporate more secure-by-design principles. Users of the CS5000 Fire Panel are recommended to implement compensating countermeasures, such as physical security and access control restrictions for dedicated personnel. More product safety information can be found on Consilium Safety's support webpage https://www.consiliumsafety.com/en/support/ .

History

Fri, 30 May 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 29 May 2025 23:30:00 +0000

Type Values Removed Values Added
Description The CS5000 Fire Panel is vulnerable due to a default account that exists on the panel. Even though it is possible to change this by SSHing into the device, it has remained unchanged on every installed system observed. This account is not root but holds high-level permissions that could severely impact the device's operation if exploited.
Title Consilium Safety CS5000 Fire Panel Initialization of a Resource with an Insecure Default
Weaknesses CWE-1188
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2025-05-30T12:50:16.987Z

Reserved: 2025-05-15T21:07:17.944Z

Link: CVE-2025-41438

cve-icon Vulnrichment

Updated: 2025-05-30T12:50:13.742Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-05-30T00:15:23.003

Modified: 2025-05-30T16:31:03.107

Link: CVE-2025-41438

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.