Summary
Multiple vulnerabilities in the PLCnext system allowed low-privileged remote attackers to gain unauthorized access or trigger system reboots by manipulating configuration files and symbolic links. Affected services include watchdog, arp-preinit, and security-profile, potentially exposing critical system files. These issues have been resolved in firmware version 2025.0.2.
Impact
Availability, integrity, or confidentiality of the PLCnext Control might be compromised by attacks using these vulnerabilities.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| 1151412 | AXC F 1152 | Firmware <2025.0.2 |
| 2404267 | AXC F 2152 | Firmware <2025.0.2 |
| 1069208 | AXC F 3152 | Firmware <2025.0.2 |
| 1246285 | BPC 9102S | Firmware <2025.0.2 |
| 1051328 | RFC 4072S | Firmware <2025.0.2 |
Vulnerabilities
Expand / Collapse allA low privileged remote attacker with file access can replace a critical file or folder used by the service security-profile to get read, write and execute access to any file on the device.
A low privileged remote attacker with file access can replace a critical file used by the arp-preinit script to get read, write and execute access to any file on the device.
A low privileged remote attacker with file access can replace a critical file used by the watchdog to get read, write and execute access to any file on the device after the watchdog has been initialized.
An low privileged remote attacker can enforce the watchdog of the affected devices to reboot the PLC due to incorrect default permissions of a config file.
Remediation
Update to the latest 2025.0.2 Firmware Release. PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 07/08/2025 12:00 | Initial |