Zurück zur Übersicht

Phoenix Contact: Security Advisory for TC ROUTER and CLOUD CLIENT Industrial mobile network routers

VDE-2025-073
Last update
13.01.2026 09:00
Published at
13.01.2026 09:00
Vendor(s)
Phoenix Contact GmbH & Co. KG
External ID
VDE-2025-073
CSAF Document
Download

Summary

A code injection vulnerability at the upload-config endpoint in the firmware of TC ROUTER and CLOUD CLIENT Industrial Mobile network routers has been discovered that can be exploited by an high privileged attacker.

Impact

The vulnerability can lead to a total loss of confidentiality, integrity and availability of the devices.

Affected Product(s)

Model no. Product name Affected versions
1221706 CLOUD CLIENT 1101T-TX/TX Firmware <FW 3.07.7
2702888 TC CLOUD CLIENT 1002-4G ATT Firmware <FW 3.08.8
2702885 TC CLOUD CLIENT 1002-TX/TX Firmware <FW 3.07.7
2702531 TC ROUTER 2002T-3G Firmware <FW 3.08.8
2702530 TC ROUTER 2002T-4G Firmware <FW 3.08.8
2702529 TC ROUTER 3002T-3G Firmware <FW 3.08.8
2702528 TC ROUTER 3002T-4G Firmware <FW 3.08.8
2702533 TC ROUTER 3002T-4G ATT Firmware <FW 3.08.8
1632697 TC ROUTER 3002T-4G GL Firmware <FW 3.08.8
2702532 TC ROUTER 3002T-4G VZW Firmware <FW 3.08.8
1439475 TC ROUTER 5004T-5G EU Firmware <FW 1.06.23

Vulnerabilities

Expand / Collapse all

Published
09.02.2026 08:37
Severity
8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weakness
Improper Control of Generation of Code ('Code Injection') (CWE-94)
Summary

An unauthenticated remote attacker can trick a high privileged user into uploading a malicious payload via the config-upload endpoint, leading to code injection as root. This results in a total loss of confidentiality, availability and integrity due to improper control of code generation ('Code Injection’).

References
cve.org | nvd.nist.gov

Mitigation

As this vulnerability can only be exploited by an authenticated high privileged user, Phoenix Contact recommends to strictly restrict administrative access to the device. The administrative use shall only import configuration files from trusted sources.

Remediation

Phoenix Contact recommends to upgrade to the latest firmware which will fix this vulnerability.

Product Fixed Version
TC ROUTER 3002T-3G 3.08.8
TC ROUTER 2002T-3G 3.08.8
TC ROUTER 3002T-4G 3.08.8
TC ROUTER 3002T-4G GL 3.08.8
TC ROUTER 5004T-5G EU 1.06.23
TC ROUTER 3002T-4G VZW 3.08.8
TC ROUTER 3002T-4G ATT 3.08.8
TC ROUTER 2002T-4G 3.08.8
CLOUD CLIENT 1101T-TX/TX 3.07.7
TC CLOUD CLIENT 1002-4G ATT 3.08.8
TC CLOUD CLIENT 1002-TX/TX 3.07.7

Acknowledgments

Phoenix Contact GmbH & Co. KG thanks the following parties for their efforts:

  • CERTVDE for Coordination (see https://certvde.com/en/ )
  • D. Blagojevic, S. Dietz, F. Koroknai, T. Weber from CyberDanube for Reporting.

Revision History

Version Date Summary
1.0.0 13.01.2026 09:00 Initial Revision