Two critical vulnerabilities in Eclipse BaSyx V2 — the widely deployed open-source implementation of the IEC 63278 Asset Administration Shell (AAS) standard used in Industry 4.0 and Industrial Internet of Things environments — have been disclosed with a combined impact that enables unauthenticated remote code execution and network segmentation bypass on industrial infrastructure.
CVE-2026-7411 carries a CVSS score of 10.0 — the maximum — and allows an unauthenticated attacker to write arbitrary files on the BaSyx server host through a path traversal flaw in the file upload endpoint. CVE-2026-7412 (CVSS 8.6) provides a blind server-side request forgery capability that can be used to probe and interact with internal network services from the BaSyx server’s network position, effectively bypassing OT/IT network segmentation controls from the internet.
About Eclipse BaSyx and Asset Administration Shells
Eclipse BaSyx is an Eclipse Foundation project providing the open-source reference implementation of the Asset Administration Shell — a standardised digital twin and metadata representation for industrial assets defined by the Industrial Internet of Things Consortium and IEC standards bodies. Asset Administration Shells are designed to represent physical industrial equipment digitally, enabling automated data exchange in smart manufacturing, industrial automation, and supply chain integration.
BaSyx is deployed by manufacturers, system integrators, and industrial automation vendors building Industry 4.0 systems. Its position in an OT environment is often significant: BaSyx servers may have network access to both IT systems (for data integration) and OT systems (for real-time asset data), making them a potential pivot point between network segments.
CVE-2026-7411: Path Traversal to RCE (CVSS 10.0)
The vulnerability resides in BaSyx’s file upload API endpoint used for attaching documents, thumbnails, and supplementary files to Asset Administration Shell definitions. The file upload handler does not validate that the supplied filename parameter is restricted to the intended upload directory.
An unauthenticated attacker can provide a filename containing path traversal sequences (e.g., ../../etc/cron.d/exploit) to write an arbitrary file to any location writable by the BaSyx service process. Common exploitation paths include writing cron jobs, web server configuration files, or SSH authorised keys to achieve persistent code execution without requiring authentication.
The maximum CVSS score reflects the combination of no authentication required, network accessibility (the upload API is designed to be externally accessible), and the arbitrary code execution impact on a system typically positioned within or adjacent to OT networks.
CVE-2026-7412: SSRF for Network Segmentation Bypass (CVSS 8.6)
A blind server-side request forgery vulnerability in BaSyx’s connector component — used to fetch remote AAS descriptors and integrate with external data sources — allows an unauthenticated attacker to trigger HTTP requests from the BaSyx server to arbitrary internal network addresses.
In OT environments where BaSyx has access to both external networks (for IT integration) and internal OT networks (for asset data), CVE-2026-7412 allows an attacker to probe and interact with OT network services from the internet — bypassing firewall rules that would otherwise prevent direct external access to the OT network.
Affected Versions and Patch
Eclipse BaSyx V2 versions prior to milestone-10 (v2.0.0-milestone-10) are affected. Patches are available via the Eclipse BaSyx GitHub repository and Maven Central package registry.
Immediate mitigations if patching is not immediately possible:
- Restrict network access to BaSyx server endpoints to authorised client IP addresses — the file upload API should not be internet-accessible
- Disable the remote connector functionality if external AAS descriptor fetching is not operationally required
- Audit file system permissions on the BaSyx service account to limit writable directories to the intended upload path
OT Security Implications
Eclipse BaSyx’s position in Industry 4.0 architectures — bridging IT and OT networks in the service of digital twin and smart manufacturing use cases — makes it a high-value target for attackers seeking to cross OT/IT boundaries. The combination of a CVSS 10.0 unauthenticated RCE and a network segmentation bypass in the same platform represents a serious risk for industrial environments where BaSyx is deployed at the OT/IT boundary.
Organisations using BaSyx as part of their Industry 4.0 infrastructure should apply the patch immediately and review the network position of their BaSyx deployment — specifically confirming that the server is not reachable from the internet without authentication controls and that its network access to OT systems is restricted to the minimum required for operational function.
Share this article