| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| AXC F 1152 | < 2025.0.2 | |
| AXC F 2152 | < 2025.0.2 | |
| AXC F 3152 | < 2025.0.2 | |
| BPC 9102S | < 2025.0.2 | |
| RFC 4072S | < 2025.0.2 |
Multiple vulnerabilities in the PLCnext system allowed low-privileged remote attackers to gain unauthorized access or trigger system reboots by manipulating configuration files and symbolic links. Affected services include watchdog, arp-preinit, and security-profile, potentially exposing critical system files. These issues have been resolved in firmware version 2025.0.2.
A low privileged remote attacker with file access can replace a critical file used by the watchdog to get read, write and execute access to any file on the device after the watchdog has been initialized.
A low privileged remote attacker with file access can replace a critical file used by the arp-preinit script to get read, write and execute access to any file on the device.
A low privileged remote attacker with file access can replace a critical file or folder used by the service security-profile to get read, write and execute access to any file on the device.
An low privileged remote attacker can enforce the watchdog of the affected devices to reboot the PLC due to incorrect default permissions of a config file.
Availability, integrity, or confidentiality of the PLCnext Control might be compromised by attacks using these vulnerabilities.
Remediation
Update to the latest 2025.0.2 Firmware Release. PHOENIX CONTACT recommends to always use an up-to-date version of the PLCnext Engineer.
CERT@VDE coordinated with Phoenix Contact
Reporting: Nozomi