Summary
Multiple vulnerabilities were discovered in the firmware of QUINT4-UPS EIP devices that can be used by an unauthenticated remote attacker to perform Denial of Service attacks and to gather login credentials for the Webfrontend.
Impact
A successful attack can lead to Denial of Service or exposure of credentials.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| 2907069 | QUINT4-UPS/24DC/24DC/10/EIP VC:00<VC:07 | QUINT4-UPS/24DC/24DC/10/EIP VC:00<VC:07 |
| 2907069 | QUINT4-UPS/24DC/24DC/10/EIP VC:07 | QUINT4-UPS/24DC/24DC/10/EIP VC:07 |
| 2907074 | QUINT4-UPS/24DC/24DC/20/EIP VC:00<VC:07 | QUINT4-UPS/24DC/24DC/20/EIP VC:00<VC:07 |
| 2907074 | QUINT4-UPS/24DC/24DC/20/EIP VC:07 | QUINT4-UPS/24DC/24DC/20/EIP VC:07 |
| 2907080 | QUINT4-UPS/24DC/24DC/40/EIP VC:00<VC:07 | QUINT4-UPS/24DC/24DC/40/EIP VC:00<VC:07 |
| 2907080 | QUINT4-UPS/24DC/24DC/40/EIP VC:07 | QUINT4-UPS/24DC/24DC/40/EIP VC:07 |
| 2906994 | QUINT4-UPS/24DC/24DC/5/EIP VC:00<VC:07 | QUINT4-UPS/24DC/24DC/5/EIP VC:00<VC:07 |
| 2906994 | QUINT4-UPS/24DC/24DC/5/EIP VC:07 | QUINT4-UPS/24DC/24DC/5/EIP VC:07 |
Vulnerabilities
Expand / Collapse allAn unauthenticated remote attacker can cause a Denial of Service by turning off the output of the UPS via Modbus command.
An unauthenticated remote
attacker (MITM) can intercept the websocket messages to gain access to the login credentials for the Webfrontend.
The websocket handler is vulnerable to a denial of service condition. An unauthenticated remote attacker can send a crafted websocket message to trigger the issue without affecting the core functionality.
The webserver is vulnerable to a denial of service condition. An unauthenticated remote attacker can craft a special GET request with an over-long content-length to trigger the issue without affecting the core functionality.
An unauthanticated remote attacker can perform a DoS of the Modbus service by sending a specific function and sub-function code without affecting the core functionality.
Mitigation
Affected devices are designed and developed for the use in closed industrial networks. Phoenix Contact therefore strongly recommends using the devices exclusively in closed networks and protected by a suitable firewall.
Remediation
Starting with version VC:07, all newly shipped devices will include firmware updates that address four vulnerabilities: CVE-2025-41704, CVE-2025-41705, CVE-2025-41706, and CVE-2025-41707.
However, configuration of devices via unauthenticated Modbus/TCP remains possible in VC:07, as this protocol is a widely used standard in the industrial sector. As a result, VC:07 is still affected by CVE-2025-41703.
Acknowledgments
Phoenix Contact GmbH & Co. KG thanks the following parties for their efforts:
- CERTVDE for Coordination (see https://certvde.com/en/ )
- D. Blagojevic, S. Dietz, F. Koroknai, T. Weber from CyberDanube Security Research for Reporting
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 14.10.2025 08:00 | Initial revision. |