Back to overview

Phoenix Contact: Security Advisory for QUINT4-UPS EIP

VDE-2025-072
Last update
10/14/2025 08:00
Published at
10/14/2025 08:00
Vendor(s)
Phoenix Contact GmbH & Co. KG
External ID
VDE-2025-072
CSAF Document
Download

Summary

Multiple vulnerabilities were discovered in the firmware of QUINT4-UPS EIP devices that can be used by an unauthenticated remote attacker to perform Denial of Service attacks and to gather login credentials for the Webfrontend.

Impact

A successful attack can lead to Denial of Service or exposure of credentials.

Affected Product(s)

Model no. Product name Affected versions
2907069 QUINT4-UPS/24DC/24DC/10/EIP VC:00<VC:07 QUINT4-UPS/24DC/24DC/10/EIP VC:00<VC:07
2907069 QUINT4-UPS/24DC/24DC/10/EIP VC:07 QUINT4-UPS/24DC/24DC/10/EIP VC:07
2907074 QUINT4-UPS/24DC/24DC/20/EIP VC:00<VC:07 QUINT4-UPS/24DC/24DC/20/EIP VC:00<VC:07
2907074 QUINT4-UPS/24DC/24DC/20/EIP VC:07 QUINT4-UPS/24DC/24DC/20/EIP VC:07
2907080 QUINT4-UPS/24DC/24DC/40/EIP VC:00<VC:07 QUINT4-UPS/24DC/24DC/40/EIP VC:00<VC:07
2907080 QUINT4-UPS/24DC/24DC/40/EIP VC:07 QUINT4-UPS/24DC/24DC/40/EIP VC:07
2906994 QUINT4-UPS/24DC/24DC/5/EIP VC:00<VC:07 QUINT4-UPS/24DC/24DC/5/EIP VC:00<VC:07
2906994 QUINT4-UPS/24DC/24DC/5/EIP VC:07 QUINT4-UPS/24DC/24DC/5/EIP VC:07

Vulnerabilities

Expand / Collapse all

Published
10/14/2025 15:00
Severity
7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness
Missing Authentication for Critical Function (CWE-306)
Summary

An unauthenticated remote attacker can cause a Denial of Service by turning off the output of the UPS via Modbus command.

References
cve.org | nvd.nist.gov

Published
10/14/2025 15:00
Severity
6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Weakness
Unprotected Transport of Credentials (CWE-523)
Summary

An unauthenticated remote
attacker (MITM) can intercept the websocket messages to gain access to the login credentials for the Webfrontend.

References
cve.org | nvd.nist.gov

Published
10/14/2025 15:00
Severity
5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Weakness
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120)
Summary

The websocket handler is vulnerable to a denial of service condition. An unauthenticated remote attacker can send a crafted websocket message to trigger the issue without affecting the core functionality.

References
cve.org | nvd.nist.gov

Published
10/14/2025 15:00
Severity
5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Weakness
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120)
Summary

The webserver is vulnerable to a denial of service condition. An unauthenticated remote attacker can craft a special GET request with an over-long content-length to trigger the issue without affecting the core functionality.

References
cve.org | nvd.nist.gov

Published
10/14/2025 15:00
Severity
5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Weakness
Allocation of Resources Without Limits or Throttling (CWE-770)
Summary

An unauthanticated remote attacker can perform a DoS of the Modbus service by sending a specific function and sub-function code without affecting the core functionality.

References
cve.org | nvd.nist.gov

Mitigation

Affected devices are designed and developed for the use in closed industrial networks. Phoenix Contact therefore strongly recommends using the devices exclusively in closed networks and protected by a suitable firewall.

Remediation

Starting with version VC:07, all newly shipped devices will include firmware updates that address four vulnerabilities: CVE-2025-41704, CVE-2025-41705, CVE-2025-41706, and CVE-2025-41707.

However, configuration of devices via unauthenticated Modbus/TCP remains possible in VC:07, as this protocol is a widely used standard in the industrial sector. As a result, VC:07 is still affected by CVE-2025-41703.

Acknowledgments

Phoenix Contact GmbH & Co. KG thanks the following parties for their efforts:

  • CERTVDE for Coordination (see https://certvde.com/en/ )
  • D. Blagojevic, S. Dietz, F. Koroknai, T. Weber from CyberDanube Security Research for Reporting

Revision History

Version Date Summary
1.0.0 10/14/2025 08:00 Initial revision.