Summary
The display unit of the Endress+Hauser MCS200HW is affected by a sudo chroot vulnerability.
Impact
If exploited, this vulnerability could potentially allow an unauthenticated attacker to compromise the availability, integrity, and confidentiality of the Endress+Hauser MCS200HW.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| MCS200HW | Firmware <1.11.5.6R |
Vulnerabilities
Expand / Collapse allSudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.
Mitigation
As a temporary mitigation measure, both system and network access to the affected functionality should be strictly restricted. Access should be limited to authorized personnel only, and exposure to external or untrusted networks should be minimized or fully blocked until an update of the display firmware has been completed.
Remediation
Endress+Hauser has released updated firmware versions that address this vulnerability.
The display unit's firmware versions below 4.3.4 are affected. To address the vulnerability,
customers are strongly recommended to update the display unit of their devices to firmware version
4.3.4.
Endress+Hauser will include this firmware version in the MCS200HW products starting with version
1.11.5.6R.
Alternatively, customers can contact Endress+Hauser directly to obtain the updated display firmware,
or download the original firmware - including update instructions - from the Phoenix Contact website
referenced below.
Customers are strongly advised to upgrade to the latest fixed version. For assistance, please contact your local Endress+Hauser service center.
Acknowledgments
Endress+Hauser AG thanks the following parties for their efforts:
- CERT@VDE for coordination (see https://certvde.com )
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 04/21/2026 09:00 | Initial version |