Pepperl+Fuchs: Multiple vulnerabilites in Comtrol IO-Link Master

VDE-2020-038

Last update

14.05.2025 15:00

Published at

04.01.2021 14:01

Vendor(s)

Pepperl+Fuchs SE

External ID

VDE-2020-038

CSAF Document

Download

Summary

Several vulnerabilities exist within firmware versions up to and including v1.5.48.

Impact

Pepperl+Fuchs analyzed and identified affected devices.
Remote attackers may exploit multiple vulnerabilities to get access to the device and
execute any program and tap information.

Affected Product(s)

Model no.	Product name	Affected versions
	IO-Link Master 4-EIP	Firmware <=v1.5.48
	IO-Link Master 4-PNIO	Firmware <=v1.5.48
	IO-Link Master 8-EIP	Firmware <=v1.5.48
	IO-Link Master 8-EIP-L	Firmware <=v1.5.48
	IO-Link Master 8-PNIO	Firmware <=v1.5.48
	IO-Link Master 8-PNIO-L	Firmware <=v1.5.48
	IO-Link Master DR-8-EIP	Firmware <=v1.5.48
	IO-Link Master DR-8-EIP-P	Firmware <=v1.5.48
	IO-Link Master DR-8-EIP-T	Firmware <=v1.5.48
	IO-Link Master DR-8-PNIO	Firmware <=v1.5.48
	IO-Link Master DR-8-PNIO-P	Firmware <=v1.5.48
	IO-Link Master DR-8-PNIO-T	Firmware <=v1.5.48

Vulnerabilities

Expand / Collapse all

Published

22.09.2025 14:58

Severity

8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weakness

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

References

cve.org | nvd.nist.gov

Published

22.09.2025 14:58

Severity

8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Weakness

Cross-Site Request Forgery (CSRF) (CWE-352)

References

cve.org | nvd.nist.gov

Published

22.09.2025 14:58

Severity

7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weakness

Improper Validation of Specified Quantity in Input (CWE-1284)

References

cve.org | nvd.nist.gov

Published

22.09.2025 14:58

Severity

7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weakness

Out-of-bounds Read (CWE-125)

References

cve.org | nvd.nist.gov

Published

22.09.2025 14:58

Severity

5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Weakness

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

References

cve.org | nvd.nist.gov

Published

22.09.2025 14:58

Severity

4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Weakness

NULL Pointer Dereference (CWE-476)

References

cve.org | nvd.nist.gov

Remediation

In order to prevent the exploitation of the reported vulnerabilities, we recommend that the
affected units be updated with the following three firmware packages:

U-Boot bootloader version 1.36
System image version 1.52
Application base version 1.6.11

Revision History

Version	Date	Summary
1	04.01.2021 14:01	initial revision
2	12.02.2025 17:57	Fix: corrected self-reference, fixed version
3	14.05.2025 15:00	Fix: added distribution

Pepperl+Fuchs: Multiple vulnerabilites in Comtrol IO-Link Master

Summary

Impact

Affected Product(s)

Vulnerabilities

CVE-2020-12513 8.8

CVE-2020-12511 8.8

CVE-2018-0732 7.5

CVE-2018-20679 7.5

CVE-2020-12512 5.4

CVE-2020-12514 4.9

Remediation

Revision History