Back to overview

PHOENIX CONTACT: Products utilizing WIBU SYSTEMS CodeMeter components in versions prior to V7.21a

VDE-2021-036
Last update
05/14/2025 14:28
Published at
08/04/2021 09:56
Vendor(s)
Phoenix Contact GmbH & Co. KG
External ID
VDE-2021-036
CSAF Document
Download

Summary

Please consult the CVE entries above for more details.

Impact

An attacker may use the above-described vulnerabilities to perform a Denial of Service attack.
Phoenix Contact devices using CodeMeter embedded are not affected by these vulnerabilities.

Affected Product(s)

Model no. Product name Affected versions
Activation Wizard <=1.4 Activation Wizard <=1.4
1153509, 1153513, 1086929, 1153516, 1086891, 1153508, 1153520, 1086921, 1086889, 1086920 E-Mobility Charging Suite license codes for EV Charging Suite Setup <=1.7.3 E-Mobility Charging Suite license codes for EV Charging Suite Setup <=1.7.3
2702889 FL Network Manager <=5.0 FL Network Manager <=5.0
1083065 IOL-CONF <=1.7.0 IOL-CONF <=1.7.0
1165889 PLCNEXT ENGINEER EDU LIC <=2021.06 PLCNEXT ENGINEER EDU LIC <=2021.06

Vulnerabilities

Expand / Collapse all

Published
09/22/2025 14:58
Severity
6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary

In multiple managed switches by WAGO in different versions an attacker may trick a legitimate user to click a link to inject possible malicious code into the Web-Based Management.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:58
Severity
5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weakness
Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
Summary

In multiple managed switches by WAGO in different versions the activated directory listing provides an attacker with the index of the resources located inside the directory.

References
cve.org | nvd.nist.gov

Mitigation

  1. Use general security best practices to protect systems from local and network attacks like described in the application node AH EN INDUSTRIAL SECURITY external link.
  2. Run CodeMeter as client only and use localhost as binding for the CodeMeter communication. With binding to localhost an attack is no longer possible via remote network connection. The network server is disabled by default. If it is not possible to disable the network server, using a host-based firewall to restrict access to the CmLAN port can reduce the risk.
  3. The CmWAN server is disabled by default. Please check if CmWAN is enabled and disable the feature if it is not needed.
  4. Run the CmWAN server only behind a reverse proxy with user authentication to prevent attacks from unauthenticated users. The risk of an unauthenticated attacker can be further reduced by using a host-based firewall that only allows the reverse proxy to access the CmWAN port.

Remediation

PHOENIX CONTACT strongly recommends affected Users to upgrade to Codemeter V7.21a, which fixes these vulnerabilities. Wibu-Systems has already published this update for CodeMeter on their homepage. Since this current version of CodeMeter V7.21a has not yet been incorporated into Phoenix Contact products, we strongly recommend to download and install the current CodeMeter version directly from the Wibu-Systems homepage.

Revision History

Version Date Summary
1 08/04/2021 09:56 Initial revision.
2 05/14/2025 14:28 Fix: version space, added distribution