PHOENIX CONTACT: PC Worx/-Express prone to improper input validation vulnerability

VDE-2021-052

Last update

05/22/2025 15:03

Published at

11/03/2021 10:45

Vendor(s)

Phoenix Contact GmbH & Co. KG

External ID

VDE-2021-052

CSAF Document

Download

Summary

PC Worx / -Express is vulnerable to a 'zip slip' style vulnerability when loading a project file.

Impact

Availability, integrity, or confidentiality of an application programming workstation might be compromised by attacks using these vulnerabilities.
Automated systems in operation which were programmed with one of the above-mentioned products are not affected.

Affected Product(s)

Model no.	Product name	Affected versions
	PHOENIX CONTACT PC Worx	Firmware <=1.88
	PHOENIX CONTACT PC Worx Express	Firmware <=1.88

Vulnerabilities

Expand / Collapse all

Published

09/22/2025 14:57

Severity

7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Weakness

Improper Input Validation (CWE-20)

References

cve.org | nvd.nist.gov

Mitigation

We strongly recommend customers to exchange project files only using secure file exchange services. Project files should not be exchanged via unencrypted email.
In addition, we recommend exchanging or storing project files together with a checksum to ensure their integrity.

Remediation

With the next version of Automation Worx Software Suite additional plausibility checks for archive content will be implemented.

Revision History

Version	Date	Summary
1	11/03/2021 10:45	initial revision
2	05/22/2025 15:03	Fix: quotation mark