Pepperl+Fuchs: Multiple DTM and VisuNet Software affected by log4net vulnerability

VDE-2021-041

Last update

22.05.2025 15:03

Published at

26.10.2021 15:35

Vendor(s)

Pepperl+Fuchs SE

External ID

VDE-2021-041

CSAF Document

Download

Summary

Critical vulnerabilities have been discovered in the utilized component log4net by Apache Software Foundation.

UPDATE A: Remediation: added fixed VisuNet Products

Impact

Pepperl+Fuchs analyzed and identified affected devices.
In table 'Affected products' packages are listed next to some products, this means that the products are only affected if the corresponding software is installed since the package implements the vulnerability.

To exploit the vulnerability, the access rights of an authorized user or admin are required.

The impact of the vulnerability on the affected products may result in

Denial of Service
Loss of Credentials
Code Execution

The CVSS environmental score is specific to the customer's environment and should therefore be individually assessed by the customer to accomplish final scoring.

Affected Product(s)

Vulnerabilities

Expand / Collapse all

Published

22.09.2025 14:57

Severity

9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weakness

Improper Restriction of XML External Entity Reference (CWE-611)

References

cve.org | nvd.nist.gov

Mitigation

External countermeasures are needed for the remaining products.
The following protective measure is required for VisuNet devices and the PCs/Servers with an installed DTM: \
Restrict local access to the device, PC/Server and use user authentication to prevent unauthorized access.

Remediation

The following affected DTM products can be updated to the listed version:

Item	Version
FieldConnex DTM Collection	1.7.1.2159
Diagnostic Manager	2.2.3.3527
FieldConnex Diagnostic Gateway FF DTM	2.2.3.3527
FDH-1 Manager	1.0.2.1049
ABB Project Builder	1.1.2.1134
Honeywell Integration Package	1.1.3.0
Emerson Integration Package [ADM Project Builder Emerson]	1.1.4.1474
Emerson Integration Package [AMS Alert Adapter]	1.1.3.72
DTM Collection HART-Multiplexer	2.0.1.208

UPDATE A

The following affected VisuNet products can be updated to the listed version:

Item	Version
VisuNet RM Shell 5 (2016 LTSB)	5.5.1.1200
VisuNet RM Shell 5 (2019 LTSC)	5.6.0.1383
VisuNet Factory Reset	6.1.1.262
VisuNet Control Center	4.8.0.1596
VisuNet GXP PC Service Tool	1.1.1

END UPDATE A

Revision History

Version	Date	Summary
1	26.10.2021 15:35	Initial revision.
2	17.01.2022 16:16	UPDATE A: add list of affected VisuNet products
3	22.05.2025 15:03	Fix: firmware category, quotation mark

Model no.	Product name	Affected versions
	ABB Project Builder <=1.1.1.1122	ABB Project Builder <=1.1.1.1122
	ADM Project Builder Emerson in Emerson Integration Package <=1.1.3.1463	ADM Project Builder Emerson in Emerson Integration Package <=1.1.3.1463
	AMS Alert Adapter in Emerson Integration Package <=1.1.3.1463	AMS Alert Adapter in Emerson Integration Package <=1.1.3.1463
	All contained DTMs in DTM Collection HART-Multiplexer <=2.0.0.130	All contained DTMs in DTM Collection HART-Multiplexer <=2.0.0.130
	All contained DTMs in DTM Collection Level Control Technology used with Level Radar LCR20, LTC50, LTC51, LRC57 <=1.0.31	All contained DTMs in DTM Collection Level Control Technology used with Level Radar LCR20, LTC50, LTC51, LRC57 <=1.0.31
	All contained DTMs in DTM Collection WirelessHART <=1.0.2.4	All contained DTMs in DTM Collection WirelessHART <=1.0.2.4
	All contained DTMs in DTM Library HART used with 6500 Series <=2.4.11.59	All contained DTMs in DTM Library HART used with 6500 Series <=2.4.11.59
	All contained DTMs in Diagnostic Manager 2.0.0.1177<=2.2.2.3478	All contained DTMs in Diagnostic Manager 2.0.0.1177<=2.2.2.3478
	All contained DTMs in FieldConnex Diagnostic Gateway FF DTM <=2.2.2.3478	All contained DTMs in FieldConnex Diagnostic Gateway FF DTM <=2.2.2.3478
	All contained DTMs in HART DTM Library Enhanced used with PS3500-DM <=2.4.11.59	All contained DTMs in HART DTM Library Enhanced used with PS3500-DM <=2.4.11.59
	All contained DTMs in TMI-FF DTM <=2.6.3.10	All contained DTMs in TMI-FF DTM <=2.6.3.10
	FDH-1 Manager <=1.0.1.1022	FDH-1 Manager <=1.0.1.1022
	P+F DTMLibrary Modbus in DTM used with S1SD-1TI-1U V2.3.68	P+F DTMLibrary Modbus in DTM used with S1SD-1TI-1U V2.3.68
	VisuNet Control Center <=4.7.1	VisuNet Control Center <=4.7.1
	VisuNet Factory Reset 5.x	VisuNet Factory Reset 5.x
	VisuNet Factory Reset <=6.1.0	VisuNet Factory Reset <=6.1.0
	VisuNet GXP PC Service Tool <=1.1.0	VisuNet GXP PC Service Tool <=1.1.0
	VisuNet RM Shell <=5.5.0	VisuNet RM Shell <=5.5.0