Critical Consilium Safety CS5000 Fire Panel Vulnerabilities Could Enable Remote Takeover

CISA has issued a critical advisory warning of two severe security vulnerabilities affecting all versions of the Consilium Safety CS5000 Fire Panel, a widely deployed industrial control system used in fire safety environments worldwide. 

These flaws, discovered by cybersecurity researcher Andrew Tierney of Pen Test Partners, could allow remote attackers to gain high-level access and potentially render fire safety systems non-functional, posing significant risks to critical infrastructure.

Consilium Fire Panel Vulnerabilities

The first vulnerability, designated CVE-2025-41438, involves the initialization of a resource with an insecure default configuration (CWE-1188). 

A default high-privileged account exists on all CS5000 units and has been observed to remain unchanged in production environments across multiple installations. 

While this account lacks root-level access, it possesses sufficient privileges to critically disrupt fire panel operations. 

The vulnerability has received a CVSS v3.1 base score of 9.8 and a CVSS v4 score of 9.3, with the vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

The second vulnerability, CVE-2025-46352, stems from hard-coded credentials (CWE-798) embedded within a VNC server component. 

The password is visible as a string in the binary responsible for running VNC and cannot be altered by users. Anyone with knowledge of this hard-coded password can gain full remote access to the fire panel system. 

This vulnerability also received critical CVSS scores of 9.8 (v3.1) and 9.3 (v4).

The CS5000 Fire Panel is deployed across multiple critical infrastructure sectors including commercial facilities, energy, government services and facilities, healthcare and public health, and transportation systems. 

The Swedish-manufactured system sees global deployment, making the vulnerability impact widespread. 

Successful exploitation could enable attackers to remotely operate fire panels and potentially render them non-functional, creating serious safety issues in critical environments where fire detection and suppression systems are essential.

Tierney, who first discovered these issues in 2020, noted that the disclosure process took considerable time due to initial vendor communication challenges. 

The vulnerabilities were validated across multiple vessel installations, confirming that the issues are consistent across all CS5000 deployments.

Security Measures

Consilium Safety has no plans to patch the existing CS5000 Fire Panel systems. Instead, the vendor recommends that users wanting enhanced security features migrate to newer hardware models manufactured after July 1, 2024, which incorporate more secure-by-design principles.

CISA recommends immediate implementation of compensating controls, including physical security measures and restricted administrative access to CS5000 devices. 

Organizations should minimize network exposure for control systems, ensuring they are not accessible from the internet, and locate control system networks behind firewalls isolated from business networks. 

When remote access is required, CISA advises using secure methods such as updated Virtual Private Networks (VPNs). No known public exploitation targeting these specific vulnerabilities has been reported to CISA at this time. 

However, given the critical nature of fire safety systems and the high CVSS scores, organizations are urged to implement protective measures immediately while planning system upgrades.

Celebrate 9 years of ANY.RUN! Unlock the full power of TI Lookup plan (100/300/600/1,000+ search requests), and your request quota will double.