Vulnerability-Lookup

CVE-2025-41669 (GCVE-0-2025-41669)

Vulnerability from cvelistv5 – Published: 2026-05-27 07:18 – Updated: 2026-05-27 12:04

Title

Insufficient Verification of Data Authenticity

Summary

The Web-based Management allows a remote low privileged Engineer user to install additional APPs on the device downloaded from the PLCnext Store without implementing any data verification mechanism, leading to the capability for an Engineer user to reach arbitrary code execution with root privileges on the PLC device. A successful exploitation may allow to install a manipulated APP package, potentially impacting integrity and availability of the PLCnext Control.

Severity

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-347 - Improper Verification of Cryptographic Signature

Assigner

CERTVDE

References

1 reference

URL	Tags
https://www.certvde.com/en/advisories/VDE-2026-050/

Impacted products

14 products

Vendor	Product	Version
Phoenix Contact	AXC F 1152	Affected: 0.0.0 , < 2026.0.3 (semver)
Phoenix Contact	AXC F 1252	Affected: 0.0.0 , < 2026.0.3 (semver)
Phoenix Contact	AXC F 2000 EA	Affected: 0.0.0 , < 2026.0.3 (semver)
Phoenix Contact	AXC F 2152	Affected: 0.0.0 , < 2026.0.3 (semver)
Phoenix Contact	AXC F 3152	Affected: 0.0.0 , < 2026.0.3 (semver)
Phoenix Contact	BPC 9102S	Affected: 0.0.0 , < 2026.0.3 (semver)
Phoenix Contact	EPC 1522	Affected: 0.0.0 , < 2026.0.3 (semver)
Phoenix Contact	RFC 4072R	Affected: 0.0.0 , < 2026.0.3 (semver)
Phoenix Contact	RFC 4072S	Affected: 0.0.0 , < 2026.0.3 (semver)
Phoenix Contact	VL3 UPC 2440 EDGE	Affected: 0.0.0 , < 2026.0.3 (semver)
Phoenix Contact	VPLCNEXT CONTROL 1000	Affected: 0.0.0 , < 2026.0.3 (semver)
Phoenix Contact	VPLCNEXT CONTROL 2000	Affected: 0.0.0 , < 2026.0.3 (semver)
Phoenix Contact	VPLCNEXT CONTROL 3000	Affected: 0.0.0 , < 2026.0.3 (semver)
Phoenix Contact	VPLCNEXT CONTROL 500	Affected: 0.0.0 , < 2026.0.3 (semver)

Credits

Diego Giubertoni from Nozomi

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-41669",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-27T11:53:22.514056Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T12:04:07.823Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "AXC F 1152",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "lessThan": "2026.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "AXC F 1252",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "lessThan": "2026.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "AXC F 2000 EA",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "lessThan": "2026.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "AXC F 2152",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "lessThan": "2026.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "AXC F 3152",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "lessThan": "2026.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "BPC 9102S",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "lessThan": "2026.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "EPC 1522",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "lessThan": "2026.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RFC 4072R",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "lessThan": "2026.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RFC 4072S",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "lessThan": "2026.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "VL3 UPC 2440 EDGE",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "lessThan": "2026.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "VPLCNEXT CONTROL 1000",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "lessThan": "2026.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "VPLCNEXT CONTROL 2000",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "lessThan": "2026.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "VPLCNEXT CONTROL 3000",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "lessThan": "2026.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "VPLCNEXT CONTROL 500",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "lessThan": "2026.0.3",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenix_contact:axc_f_1152:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.0.3",
                  "versionStartIncluding": "0.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenix_contact:axc_f_1252:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.0.3",
                  "versionStartIncluding": "0.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenix_contact:axc_f_2000_ea:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.0.3",
                  "versionStartIncluding": "0.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenix_contact:axc_f_2152:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.0.3",
                  "versionStartIncluding": "0.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenix_contact:axc_f_3152:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.0.3",
                  "versionStartIncluding": "0.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenix_contact:bpc_9102s:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.0.3",
                  "versionStartIncluding": "0.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenix_contact:epc_1522:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.0.3",
                  "versionStartIncluding": "0.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenix_contact:rfc_4072r:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.0.3",
                  "versionStartIncluding": "0.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenix_contact:rfc_4072s:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.0.3",
                  "versionStartIncluding": "0.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenix_contact:vl3_upc_2440_edge:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.0.3",
                  "versionStartIncluding": "0.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenix_contact:vplcnext_control_1000:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.0.3",
                  "versionStartIncluding": "0.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenix_contact:vplcnext_control_2000:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.0.3",
                  "versionStartIncluding": "0.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenix_contact:vplcnext_control_3000:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.0.3",
                  "versionStartIncluding": "0.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:phoenix_contact:vplcnext_control_500:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.0.3",
                  "versionStartIncluding": "0.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Diego Giubertoni from Nozomi"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The Web-based Management allows a remote low privileged Engineer user to install additional APPs on the device downloaded from the PLCnext Store without implementing any data verification mechanism, leading to the capability for an Engineer user to reach arbitrary code execution with root privileges on the PLC device. A successful exploitation may allow to install a manipulated APP package, potentially impacting integrity and availability of the PLCnext Control."
            }
          ],
          "value": "The Web-based Management allows a remote low privileged Engineer user to install additional APPs on the device downloaded from the PLCnext Store without implementing any data verification mechanism, leading to the capability for an Engineer user to reach arbitrary code execution with root privileges on the PLC device. A successful exploitation may allow to install a manipulated APP package, potentially impacting integrity and availability of the PLCnext Control."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-347",
              "description": "CWE-347 Improper Verification of Cryptographic Signature",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T07:18:28.236Z",
        "orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
        "shortName": "CERTVDE"
      },
      "references": [
        {
          "url": "https://www.certvde.com/en/advisories/VDE-2026-050/"
        }
      ],
      "source": {
        "advisory": "VDE-2026-050",
        "defect": [
          "CERT@VDE#641839"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Insufficient Verification of Data Authenticity",
      "x_generator": {
        "engine": "Vulnogram 0.4.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
    "assignerShortName": "CERTVDE",
    "cveId": "CVE-2025-41669",
    "datePublished": "2026-05-27T07:18:28.236Z",
    "dateReserved": "2025-04-16T11:17:48.308Z",
    "dateUpdated": "2026-05-27T12:04:07.823Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-41669",
      "date": "2026-05-27",
      "epss": "0.00058",
      "percentile": "0.18165"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-41669\",\"sourceIdentifier\":\"info@cert.vde.com\",\"published\":\"2026-05-27T08:16:39.710\",\"lastModified\":\"2026-05-27T08:16:39.710\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Web-based Management allows a remote low privileged Engineer user to install additional APPs on the device downloaded from the PLCnext Store without implementing any data verification mechanism, leading to the capability for an Engineer user to reach arbitrary code execution with root privileges on the PLC device. A successful exploitation may allow to install a manipulated APP package, potentially impacting integrity and availability of the PLCnext Control.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"info@cert.vde.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"info@cert.vde.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"info@cert.vde.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-347\"}]}],\"references\":[{\"url\":\"https://www.certvde.com/en/advisories/VDE-2026-050/\",\"source\":\"info@cert.vde.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"affected\": [{\"defaultStatus\": \"unaffected\", \"product\": \"AXC F 1152\", \"vendor\": \"Phoenix Contact\", \"versions\": [{\"lessThan\": \"2026.0.3\", \"status\": \"affected\", \"version\": \"0.0.0\", \"versionType\": \"semver\"}]}, {\"defaultStatus\": \"unaffected\", \"product\": \"AXC F 1252\", \"vendor\": \"Phoenix Contact\", \"versions\": [{\"lessThan\": \"2026.0.3\", \"status\": \"affected\", \"version\": \"0.0.0\", \"versionType\": \"semver\"}]}, {\"defaultStatus\": \"unaffected\", \"product\": \"AXC F 2000 EA\", \"vendor\": \"Phoenix Contact\", \"versions\": [{\"lessThan\": \"2026.0.3\", \"status\": \"affected\", \"version\": \"0.0.0\", \"versionType\": \"semver\"}]}, {\"defaultStatus\": \"unaffected\", \"product\": \"AXC F 2152\", \"vendor\": \"Phoenix Contact\", \"versions\": [{\"lessThan\": \"2026.0.3\", \"status\": \"affected\", \"version\": \"0.0.0\", \"versionType\": \"semver\"}]}, {\"defaultStatus\": \"unaffected\", \"product\": \"AXC F 3152\", \"vendor\": \"Phoenix Contact\", \"versions\": [{\"lessThan\": \"2026.0.3\", \"status\": \"affected\", \"version\": \"0.0.0\", \"versionType\": \"semver\"}]}, {\"defaultStatus\": \"unaffected\", \"product\": \"BPC 9102S\", \"vendor\": \"Phoenix Contact\", \"versions\": [{\"lessThan\": \"2026.0.3\", \"status\": \"affected\", \"version\": \"0.0.0\", \"versionType\": \"semver\"}]}, {\"defaultStatus\": \"unaffected\", \"product\": \"EPC 1522\", \"vendor\": \"Phoenix Contact\", \"versions\": [{\"lessThan\": \"2026.0.3\", \"status\": \"affected\", \"version\": \"0.0.0\", \"versionType\": \"semver\"}]}, {\"defaultStatus\": \"unaffected\", \"product\": \"RFC 4072R\", \"vendor\": \"Phoenix Contact\", \"versions\": [{\"lessThan\": \"2026.0.3\", \"status\": \"affected\", \"version\": \"0.0.0\", \"versionType\": \"semver\"}]}, {\"defaultStatus\": \"unaffected\", \"product\": \"RFC 4072S\", \"vendor\": \"Phoenix Contact\", \"versions\": [{\"lessThan\": \"2026.0.3\", \"status\": \"affected\", \"version\": \"0.0.0\", \"versionType\": \"semver\"}]}, {\"defaultStatus\": \"unaffected\", \"product\": \"VL3 UPC 2440 EDGE\", \"vendor\": \"Phoenix Contact\", \"versions\": [{\"lessThan\": \"2026.0.3\", \"status\": \"affected\", \"version\": \"0.0.0\", \"versionType\": \"semver\"}]}, {\"defaultStatus\": \"unaffected\", \"product\": \"VPLCNEXT CONTROL 1000\", \"vendor\": \"Phoenix Contact\", \"versions\": [{\"lessThan\": \"2026.0.3\", \"status\": \"affected\", \"version\": \"0.0.0\", \"versionType\": \"semver\"}]}, {\"defaultStatus\": \"unaffected\", \"product\": \"VPLCNEXT CONTROL 2000\", \"vendor\": \"Phoenix Contact\", \"versions\": [{\"lessThan\": \"2026.0.3\", \"status\": \"affected\", \"version\": \"0.0.0\", \"versionType\": \"semver\"}]}, {\"defaultStatus\": \"unaffected\", \"product\": \"VPLCNEXT CONTROL 3000\", \"vendor\": \"Phoenix Contact\", \"versions\": [{\"lessThan\": \"2026.0.3\", \"status\": \"affected\", \"version\": \"0.0.0\", \"versionType\": \"semver\"}]}, {\"defaultStatus\": \"unaffected\", \"product\": \"VPLCNEXT CONTROL 500\", \"vendor\": \"Phoenix Contact\", \"versions\": [{\"lessThan\": \"2026.0.3\", \"status\": \"affected\", \"version\": \"0.0.0\", \"versionType\": \"semver\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:phoenix_contact:axc_f_1152:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2026.0.3\", \"versionStartIncluding\": \"0.0.0\", \"vulnerable\": true}], \"negate\": false, \"operator\": \"OR\"}], \"operator\": \"OR\"}, {\"nodes\": [{\"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:phoenix_contact:axc_f_1252:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2026.0.3\", \"versionStartIncluding\": \"0.0.0\", \"vulnerable\": true}], \"negate\": false, \"operator\": \"OR\"}], \"operator\": \"OR\"}, {\"nodes\": [{\"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:phoenix_contact:axc_f_2000_ea:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2026.0.3\", \"versionStartIncluding\": \"0.0.0\", \"vulnerable\": true}], \"negate\": false, \"operator\": \"OR\"}], \"operator\": \"OR\"}, {\"nodes\": [{\"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:phoenix_contact:axc_f_2152:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2026.0.3\", \"versionStartIncluding\": \"0.0.0\", \"vulnerable\": true}], \"negate\": false, \"operator\": \"OR\"}], \"operator\": \"OR\"}, {\"nodes\": [{\"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:phoenix_contact:axc_f_3152:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2026.0.3\", \"versionStartIncluding\": \"0.0.0\", \"vulnerable\": true}], \"negate\": false, \"operator\": \"OR\"}], \"operator\": \"OR\"}, {\"nodes\": [{\"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:phoenix_contact:bpc_9102s:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2026.0.3\", \"versionStartIncluding\": \"0.0.0\", \"vulnerable\": true}], \"negate\": false, \"operator\": \"OR\"}], \"operator\": \"OR\"}, {\"nodes\": [{\"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:phoenix_contact:epc_1522:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2026.0.3\", \"versionStartIncluding\": \"0.0.0\", \"vulnerable\": true}], \"negate\": false, \"operator\": \"OR\"}], \"operator\": \"OR\"}, {\"nodes\": [{\"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:phoenix_contact:rfc_4072r:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2026.0.3\", \"versionStartIncluding\": \"0.0.0\", \"vulnerable\": true}], \"negate\": false, \"operator\": \"OR\"}], \"operator\": \"OR\"}, {\"nodes\": [{\"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:phoenix_contact:rfc_4072s:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2026.0.3\", \"versionStartIncluding\": \"0.0.0\", \"vulnerable\": true}], \"negate\": false, \"operator\": \"OR\"}], \"operator\": \"OR\"}, {\"nodes\": [{\"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:phoenix_contact:vl3_upc_2440_edge:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2026.0.3\", \"versionStartIncluding\": \"0.0.0\", \"vulnerable\": true}], \"negate\": false, \"operator\": \"OR\"}], \"operator\": \"OR\"}, {\"nodes\": [{\"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:phoenix_contact:vplcnext_control_1000:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2026.0.3\", \"versionStartIncluding\": \"0.0.0\", \"vulnerable\": true}], \"negate\": false, \"operator\": \"OR\"}], \"operator\": \"OR\"}, {\"nodes\": [{\"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:phoenix_contact:vplcnext_control_2000:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2026.0.3\", \"versionStartIncluding\": \"0.0.0\", \"vulnerable\": true}], \"negate\": false, \"operator\": \"OR\"}], \"operator\": \"OR\"}, {\"nodes\": [{\"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:phoenix_contact:vplcnext_control_3000:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2026.0.3\", \"versionStartIncluding\": \"0.0.0\", \"vulnerable\": true}], \"negate\": false, \"operator\": \"OR\"}], \"operator\": \"OR\"}, {\"nodes\": [{\"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:phoenix_contact:vplcnext_control_500:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2026.0.3\", \"versionStartIncluding\": \"0.0.0\", \"vulnerable\": true}], \"negate\": false, \"operator\": \"OR\"}], \"operator\": \"OR\"}], \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Diego Giubertoni from Nozomi\"}], \"descriptions\": [{\"lang\": \"en\", \"supportingMedia\": [{\"base64\": false, \"type\": \"text/html\", \"value\": \"The Web-based Management allows a remote low privileged Engineer user to install additional APPs on the device downloaded from the PLCnext Store without implementing any data verification mechanism, leading to the capability for an Engineer user to reach arbitrary code execution with root privileges on the PLC device. A successful exploitation may allow to install a manipulated APP package, potentially impacting integrity and availability of the PLCnext Control.\"}], \"value\": \"The Web-based Management allows a remote low privileged Engineer user to install additional APPs on the device downloaded from the PLCnext Store without implementing any data verification mechanism, leading to the capability for an Engineer user to reach arbitrary code execution with root privileges on the PLC device. A successful exploitation may allow to install a manipulated APP package, potentially impacting integrity and availability of the PLCnext Control.\"}], \"metrics\": [{\"cvssV4_0\": {\"Automatable\": \"NOT_DEFINED\", \"Recovery\": \"NOT_DEFINED\", \"Safety\": \"NOT_DEFINED\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"attackVector\": \"NETWORK\", \"baseScore\": 8.7, \"baseSeverity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"providerUrgency\": \"NOT_DEFINED\", \"subAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"version\": \"4.0\", \"vulnAvailabilityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"format\": \"CVSS\", \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"version\": \"3.1\"}, \"format\": \"CVSS\", \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-347\", \"description\": \"CWE-347 Improper Verification of Cryptographic Signature\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"providerMetadata\": {\"orgId\": \"270ccfa6-a436-4e77-922e-914ec3a9685c\", \"shortName\": \"CERTVDE\", \"dateUpdated\": \"2026-05-27T07:18:28.236Z\"}, \"references\": [{\"url\": \"https://www.certvde.com/en/advisories/VDE-2026-050/\"}], \"source\": {\"advisory\": \"VDE-2026-050\", \"defect\": [\"CERT@VDE#641839\"], \"discovery\": \"UNKNOWN\"}, \"title\": \"Insufficient Verification of Data Authenticity\", \"x_generator\": {\"engine\": \"Vulnogram 0.4.0\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-41669\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-27T11:53:22.514056Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-27T12:04:03.164Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-41669\", \"assignerOrgId\": \"270ccfa6-a436-4e77-922e-914ec3a9685c\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"CERTVDE\", \"dateReserved\": \"2025-04-16T11:17:48.308Z\", \"datePublished\": \"2026-05-27T07:18:28.236Z\", \"dateUpdated\": \"2026-05-27T12:04:07.823Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2025-41669

Vulnerability from fkie_nvd - Published: 2026-05-27 08:16 - Updated: 2026-05-27 08:16

Severity

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	info@cert.vde.com	https://www.certvde.com/en/advisories/VDE-2026-050/

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Web-based Management allows a remote low privileged Engineer user to install additional APPs on the device downloaded from the PLCnext Store without implementing any data verification mechanism, leading to the capability for an Engineer user to reach arbitrary code execution with root privileges on the PLC device. A successful exploitation may allow to install a manipulated APP package, potentially impacting integrity and availability of the PLCnext Control."
    }
  ],
  "id": "CVE-2025-41669",
  "lastModified": "2026-05-27T08:16:39.710",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "info@cert.vde.com",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "info@cert.vde.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-27T08:16:39.710",
  "references": [
    {
      "source": "info@cert.vde.com",
      "url": "https://www.certvde.com/en/advisories/VDE-2026-050/"
    }
  ],
  "sourceIdentifier": "info@cert.vde.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-347"
        }
      ],
      "source": "info@cert.vde.com",
      "type": "Primary"
    }
  ]
}

GHSA-M3WG-2CH3-59M2

Vulnerability from github – Published: 2026-05-27 09:31 – Updated: 2026-05-27 09:31

Details

Severity

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-41669"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T08:16:39Z",
    "severity": "HIGH"
  },
  "details": "The Web-based Management allows a remote low privileged Engineer user to install additional APPs on the device downloaded from the PLCnext Store without implementing any data verification mechanism, leading to the capability for an Engineer user to reach arbitrary code execution with root privileges on the PLC device. A successful exploitation may allow to install a manipulated APP package, potentially impacting integrity and availability of the PLCnext Control.",
  "id": "GHSA-m3wg-2ch3-59m2",
  "modified": "2026-05-27T09:31:14Z",
  "published": "2026-05-27T09:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41669"
    },
    {
      "type": "WEB",
      "url": "https://www.certvde.com/en/advisories/VDE-2026-050"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

VDE-2026-050

Vulnerability from csaf_phoenixcontactgmbhcokg - Published: 2026-05-27 10:00 - Updated: 2026-05-27 10:00

Summary

Phoenix Contact: PLCnext Firmware Security Issues Related to APPs and Configuration Files

Severity

High

Notes

General Recommendation: Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our [Application note](https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf).

Impact: Depending on the vulnerability exploited, an attacker may be able to install manipulated APPs, influence the execution of privileged services through crafted configuration files, or execute unauthorized code with elevated permissions. This may lead to a compromise of integrity and availability of the PLCnext Control. Attack vectors include network-based access via the Web-based Management interface as well as local access by authenticated low-privileged users.

Remediation: Phoenix Contact recommends updating affected devices to PLCnext firmware version 2026.0.3 or later, which addresses all vulnerabilities described in this advisory. If immediate updates are not possible, refer to the CVE-specific mitigation measures described below.

Summary: This advisory addresses security issues in PLCnext firmware versions prior to 2026.0.3 that are related to APP handling and the processing of configuration files. The identified vulnerabilities affect APP installation authenticity as well as the handling of configuration data in writable directories. Successful exploitation may allow authenticated attackers with different privilege levels to compromise integrity, availability, and system security of affected PLCnext Control. Both issues are resolved starting with PLCnext firmware version 2026.0.3.

Mitigation: The following mitigation measures are recommended. Depending on the operational environment, one or more of these measures may be applied to reduce risk: - Install APPs only from trusted sources and manually verify the SHA-256 checksum of the downloaded APP file before installation. - Restrict access to the Web-based Management interface to authorized users only. - Use firewall configuration to limit access to management interfaces and required services. Firewall configuration should be used to limit network communication to required services and to supervise execution behavior. - Protect Engineer credentials and apply strong authentication practices. - If APP functionality is not required for operation, consider disabling the APP Manager to reduce the attack surface. - Exploitation of CVE-2025-41670 requires local access to the device; therefore, local access should be restricted to authorized and trusted users only. The device should be operated in a secured and controlled environment to prevent unauthorized local access. - Enable system wide Syslog Server and check local security notifications to detect unexpected APP installation, execution behavior or abnormal system activity. - Apply the latest firmware and security updates provided by the vendor

CVE-2025-41669

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-347 - Improper Verification of Cryptographic Signature

Mitigation For firmware versions prior to 2026.0.3 apps are installed via WBM (APP Manager) without enforced authenticity validation. Verify the SHA-256 checksum provided by the PLCnext Store manually before installing an APP. Restrict WBM access to trusted IP ranges via the firewall and protect Engineer credentials. Monitor APP lifecycle security notifications locally or via a central Syslog server. If APPs are not required, disable the APP Manager service via the WBM System Services page to eliminate an unnecessary attack vector. Starting with firmware version 2026.0.3, APP signature verification is enabled by default and only signed apps can be installed.

Vendor Fix Update to PLCnext firmware version 2026.0.3 or later where APP signature verification is enforced by default. Check regularly for firmware updates and apply them as soon as they are available for the specific device.

Affected products

Fixed 13 products

Product	Identifier	Version	Remediation
Unresolved product id: CSAFPID-32001		—
Unresolved product id: CSAFPID-32002		—
Unresolved product id: CSAFPID-32003		—
Unresolved product id: CSAFPID-32004		—
Unresolved product id: CSAFPID-32005		—
Unresolved product id: CSAFPID-32006		—
Unresolved product id: CSAFPID-32008		—
Unresolved product id: CSAFPID-32009		—
Unresolved product id: CSAFPID-32010		—
Unresolved product id: CSAFPID-32011		—
Unresolved product id: CSAFPID-32012		—
Unresolved product id: CSAFPID-32013		—
Unresolved product id: CSAFPID-32014		—

Known affected 14 products

Product	Identifier	Version	Remediation
Unresolved product id: CSAFPID-31001		—
Unresolved product id: CSAFPID-31002		—
Unresolved product id: CSAFPID-31003		—
Unresolved product id: CSAFPID-31004		—
Unresolved product id: CSAFPID-31005		—
Unresolved product id: CSAFPID-31006		—
Unresolved product id: CSAFPID-31007		—
Unresolved product id: CSAFPID-31008		—
Unresolved product id: CSAFPID-31009		—
Unresolved product id: CSAFPID-31010		—
Unresolved product id: CSAFPID-31011		—
Unresolved product id: CSAFPID-31012		—
Unresolved product id: CSAFPID-31013		—
Unresolved product id: CSAFPID-31014		—

CVE-2025-41670

A local user with low privileges may be able to influence the behavior of a privileged system service by manipulating configuration or application-related files located in user-writable areas of the filesystem. The affected service processes data from locations that are not sufficiently protected against modification by low-privileged users. As the service runs with elevated privileges, successful exploitation may result in a local privilege escalation.

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-427 - Uncontrolled Search Path Element

Vendor Fix Update to PLCnext firmware version 2026.0.3 or later which fixes this vulnerability. Check regularly for firmware updates and apply them as soon as they are available for the specific device.

Affected products

Fixed 14 products

Product	Identifier	Version	Remediation
Unresolved product id: CSAFPID-32001		—
Unresolved product id: CSAFPID-32002		—
Unresolved product id: CSAFPID-32003		—
Unresolved product id: CSAFPID-32004		—
Unresolved product id: CSAFPID-32005		—
Unresolved product id: CSAFPID-32006		—
Unresolved product id: CSAFPID-32007		—
Unresolved product id: CSAFPID-32008		—
Unresolved product id: CSAFPID-32009		—
Unresolved product id: CSAFPID-32010		—
Unresolved product id: CSAFPID-32011		—
Unresolved product id: CSAFPID-32012		—
Unresolved product id: CSAFPID-32013		—
Unresolved product id: CSAFPID-32014		—

Known affected 14 products

Product	Identifier	Version	Remediation
Unresolved product id: CSAFPID-31001		—
Unresolved product id: CSAFPID-31002		—
Unresolved product id: CSAFPID-31003		—
Unresolved product id: CSAFPID-31004		—
Unresolved product id: CSAFPID-31005		—
Unresolved product id: CSAFPID-31006		—
Unresolved product id: CSAFPID-31007		—
Unresolved product id: CSAFPID-31008		—
Unresolved product id: CSAFPID-31009		—
Unresolved product id: CSAFPID-31010		—
Unresolved product id: CSAFPID-31011		—
Unresolved product id: CSAFPID-31012		—
Unresolved product id: CSAFPID-31013		—
Unresolved product id: CSAFPID-31014		—

References

6 references

URL	Category
https://phoenixcontact.com/psirt	external
https://certvde.com/de/advisories/vendor/phoenixcontact	external
https://certvde.com/en/advisories/VDE-2026-050	self
https://phoenixcontact.csaf-tp.certvde.com/.well-…	self
https://www.first.org/cvss/calculator/4.0#CVSS:4.…	external
https://www.first.org/cvss/calculator/4.0#CVSS:4.…	external

Acknowledgments

CERT@VDE certvde.com

Nozomi Diego Giubertoni

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination.",
        "urls": [
          "https://certvde.com"
        ]
      },
      {
        "names": [
          "Diego Giubertoni"
        ],
        "organization": "Nozomi",
        "summary": "Reporting"
      }
    ],
    "aggregate_severity": {
      "namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
      "text": "High"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "general",
        "text": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our [Application note](https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf).",
        "title": "General Recommendation"
      },
      {
        "category": "description",
        "text": "Depending on the vulnerability exploited, an attacker may be able to install manipulated APPs, influence the execution of privileged services through crafted configuration files, or execute unauthorized code with elevated permissions. This may lead to a compromise of integrity and availability of the PLCnext Control. Attack vectors include network-based access via the Web-based Management interface as well as local access by authenticated low-privileged users.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "Phoenix Contact recommends updating affected devices to PLCnext firmware version 2026.0.3 or later, which addresses all vulnerabilities described in this advisory. If immediate updates are not possible, refer to the CVE-specific mitigation measures described below.",
        "title": "Remediation"
      },
      {
        "category": "summary",
        "text": "This advisory addresses security issues in PLCnext firmware versions prior to 2026.0.3 that are related to APP handling and the processing of configuration files. The identified vulnerabilities affect APP installation authenticity as well as the handling of configuration data in writable directories. Successful exploitation may allow authenticated attackers with different privilege levels to compromise integrity, availability, and system security of affected PLCnext Control. Both issues are resolved starting with PLCnext firmware version 2026.0.3.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "The following mitigation measures are recommended. Depending on the operational environment, one or more of these measures may be applied to reduce risk:\n\n- Install APPs only from trusted sources and manually verify the SHA-256 checksum of the downloaded APP file before installation.\n- Restrict access to the Web-based Management interface to authorized users only.\n- Use firewall configuration to limit access to management interfaces and required services. Firewall configuration should be used to limit network communication to required services and to supervise execution behavior.\n- Protect Engineer credentials and apply strong authentication practices.\n- If APP functionality is not required for operation, consider disabling the APP Manager to reduce the attack surface.\n- Exploitation of CVE-2025-41670 requires local access to the device; therefore, local access should be restricted to authorized and trusted users only. The device should be operated in a secured and controlled environment to prevent unauthorized local access.\n- Enable system wide Syslog Server and check local security notifications to detect unexpected APP installation, execution behavior or abnormal system activity.\n- Apply the latest firmware and security updates provided by the vendor",
        "title": "Mitigation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@phoenixcontact.com",
      "name": "Phoenix Contact GmbH \u0026 Co. KG",
      "namespace": "https://phoenixcontact.com/psirt"
    },
    "references": [
      {
        "category": "external",
        "summary": "PCSA-2026-00005",
        "url": "https://phoenixcontact.com/psirt"
      },
      {
        "category": "external",
        "summary": "Phoenix Contact advisory overview at CERT@VDE",
        "url": "https://certvde.com/de/advisories/vendor/phoenixcontact"
      },
      {
        "category": "self",
        "summary": "VDE-2026-050: Phoenix Contact: PLCnext Firmware Security Issues Related to APPs and Configuration Files - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2026-050"
      },
      {
        "category": "self",
        "summary": "VDE-2026-050: Phoenix Contact: PLCnext Firmware Security Issues Related to APPs and Configuration Files - CSAF",
        "url": "https://phoenixcontact.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-050.json"
      }
    ],
    "source_lang": "en",
    "title": "Phoenix Contact: PLCnext Firmware Security Issues Related to APPs and Configuration Files",
    "tracking": {
      "aliases": [
        "VDE-2026-050",
        "PCSA-2026-00005"
      ],
      "current_release_date": "2026-05-27T10:00:00.000Z",
      "generator": {
        "date": "2026-05-27T07:05:10.994Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.44"
        }
      },
      "id": "VDE-2026-050",
      "initial_release_date": "2026-05-27T10:00:00.000Z",
      "revision_history": [
        {
          "date": "2026-05-27T10:00:00.000Z",
          "number": "1.0.0",
          "summary": "Initial"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "AXC F 1152",
                "product": {
                  "name": "AXC F 1152",
                  "product_id": "CSAFPID-11001",
                  "product_identification_helper": {
                    "model_numbers": [
                      "1151412"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "AXC F 1252",
                "product": {
                  "name": "AXC F 1252",
                  "product_id": "CSAFPID-11012",
                  "product_identification_helper": {
                    "model_numbers": [
                      "1646469"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "AXC F 2000 EA",
                "product": {
                  "name": "AXC F 2000 EA",
                  "product_id": "CSAFPID-11013",
                  "product_identification_helper": {
                    "model_numbers": [
                      "1551772"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "AXC F 2152",
                "product": {
                  "name": "AXC F 2152",
                  "product_id": "CSAFPID-11002",
                  "product_identification_helper": {
                    "model_numbers": [
                      "2404267"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "AXC F 3152",
                "product": {
                  "name": "AXC F 3152",
                  "product_id": "CSAFPID-11003",
                  "product_identification_helper": {
                    "model_numbers": [
                      "1069208"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "BPC 9102S",
                "product": {
                  "name": "BPC 9102S",
                  "product_id": "CSAFPID-11011",
                  "product_identification_helper": {
                    "model_numbers": [
                      "1246285"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "EPC 1522",
                "product": {
                  "name": "EPC 1522",
                  "product_id": "CSAFPID-11016",
                  "product_identification_helper": {
                    "model_numbers": [
                      "1185423"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "RFC 4072R",
                "product": {
                  "name": "RFC 4072R",
                  "product_id": "CSAFPID-11014",
                  "product_identification_helper": {
                    "model_numbers": [
                      "1136419"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "RFC 4072S",
                "product": {
                  "name": "RFC 4072S",
                  "product_id": "CSAFPID-11004",
                  "product_identification_helper": {
                    "model_numbers": [
                      "1051328"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "VL3 UPC 2440 EDGE",
                "product": {
                  "name": "VL3 UPC 2440 EDGE",
                  "product_id": "CSAFPID-11015",
                  "product_identification_helper": {
                    "model_numbers": [
                      "1760157"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "VPLCNEXT CONTROL 1000",
                "product": {
                  "name": "VPLCNEXT CONTROL 1000",
                  "product_id": "CSAFPID-11031",
                  "product_identification_helper": {
                    "model_numbers": [
                      "1737875"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "VPLCNEXT CONTROL 2000",
                "product": {
                  "name": "VPLCNEXT CONTROL 2000",
                  "product_id": "CSAFPID-11032",
                  "product_identification_helper": {
                    "model_numbers": [
                      " 1738453 "
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "VPLCNEXT CONTROL 3000",
                "product": {
                  "name": "VPLCNEXT CONTROL 3000",
                  "product_id": "CSAFPID-11033",
                  "product_identification_helper": {
                    "model_numbers": [
                      "  1738454"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "VPLCNEXT CONTROL 500",
                "product": {
                  "name": "VPLCNEXT CONTROL 500",
                  "product_id": "CSAFPID-11030",
                  "product_identification_helper": {
                    "model_numbers": [
                      "1751491"
                    ]
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:generic/\u003c2026.0.3",
                "product": {
                  "name": "\u003c2026.0.3",
                  "product_id": "CSAFPID-21001",
                  "product_identification_helper": {
                    "model_numbers": [
                      "1151412",
                      "1646469",
                      "1551772",
                      "2404267",
                      "1069208",
                      "1246285",
                      "1185423",
                      "1136419",
                      "1051328",
                      "1760157",
                      "1737875",
                      "1738453",
                      "1738454",
                      "1751491"
                    ]
                  }
                }
              },
              {
                "category": "product_version",
                "name": "2026.0.3",
                "product": {
                  "name": "2026.0.3",
                  "product_id": "CSAFPID-22001",
                  "product_identification_helper": {
                    "model_numbers": [
                      "1151412",
                      "1646469",
                      "1551772",
                      "2404267",
                      "1069208",
                      "1246285",
                      "1185423",
                      "1136419",
                      "1051328",
                      "1760157",
                      "1737875",
                      "1738453",
                      "1738454",
                      "1751491"
                    ]
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Firmware"
          }
        ],
        "category": "vendor",
        "name": "Phoenix Contact GmbH \u0026 Co. KG"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-61001",
        "product_ids": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004",
          "CSAFPID-31005",
          "CSAFPID-31006",
          "CSAFPID-31007",
          "CSAFPID-31008",
          "CSAFPID-31009",
          "CSAFPID-31010",
          "CSAFPID-31011",
          "CSAFPID-31012",
          "CSAFPID-31013",
          "CSAFPID-31014"
        ],
        "summary": "Affected Products."
      },
      {
        "group_id": "CSAFGID-62002",
        "product_ids": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003",
          "CSAFPID-32004",
          "CSAFPID-32005",
          "CSAFPID-32006",
          "CSAFPID-32008",
          "CSAFPID-32009",
          "CSAFPID-32010",
          "CSAFPID-32011",
          "CSAFPID-32012",
          "CSAFPID-32013",
          "CSAFPID-32014"
        ],
        "summary": "Fixed Products."
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c 2026.0.3 installed on AXC F 1152",
          "product_id": "CSAFPID-31001",
          "product_identification_helper": {
            "model_numbers": [
              "1151412"
            ]
          }
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 2026.0.3 installed on AXC F 1152",
          "product_id": "CSAFPID-32001",
          "product_identification_helper": {
            "model_numbers": [
              "1151412"
            ]
          }
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c 2026.0.3 installed on AXC F 1252",
          "product_id": "CSAFPID-31002",
          "product_identification_helper": {
            "model_numbers": [
              "1646469"
            ]
          }
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11012"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 2026.0.3 installed on AXC F 1252",
          "product_id": "CSAFPID-32002",
          "product_identification_helper": {
            "model_numbers": [
              "1646469"
            ]
          }
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11012"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c 2026.0.3 installed on AXC F 2000 EA",
          "product_id": "CSAFPID-31003",
          "product_identification_helper": {
            "model_numbers": [
              "1551772"
            ]
          }
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11013"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 2026.0.3 installed on AXC F 2000 EA",
          "product_id": "CSAFPID-32003",
          "product_identification_helper": {
            "model_numbers": [
              "1551772"
            ]
          }
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11013"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c 2026.0.3 installed on AXC F 2152",
          "product_id": "CSAFPID-31004",
          "product_identification_helper": {
            "model_numbers": [
              "2404267"
            ]
          }
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 2026.0.3 installed on AXC F 2152",
          "product_id": "CSAFPID-32004",
          "product_identification_helper": {
            "model_numbers": [
              "2404267"
            ]
          }
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c 2026.0.3 installed on AXC F 3152",
          "product_id": "CSAFPID-31005",
          "product_identification_helper": {
            "model_numbers": [
              "1069208"
            ]
          }
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11003"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 2026.0.3 installed on AXC F 3152",
          "product_id": "CSAFPID-32005",
          "product_identification_helper": {
            "model_numbers": [
              "1069208"
            ]
          }
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11003"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c 2026.0.3 installed on BPC 9102S",
          "product_id": "CSAFPID-31006",
          "product_identification_helper": {
            "model_numbers": [
              "1246285"
            ]
          }
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11011"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 2026.0.3 installed on BPC 9102S",
          "product_id": "CSAFPID-32006",
          "product_identification_helper": {
            "model_numbers": [
              "1246285"
            ]
          }
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11011"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c 2026.0.3 installed on EPC 1522",
          "product_id": "CSAFPID-31007",
          "product_identification_helper": {
            "model_numbers": [
              "1185423"
            ]
          }
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11016"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 2026.0.3 installed on EPC 1522",
          "product_id": "CSAFPID-32007",
          "product_identification_helper": {
            "model_numbers": [
              "1185423"
            ]
          }
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11016"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c 2026.0.3 installed on RFC 4072R",
          "product_id": "CSAFPID-31008",
          "product_identification_helper": {
            "model_numbers": [
              "1136419"
            ]
          }
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11014"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 2026.0.3 installed on RFC 4072R",
          "product_id": "CSAFPID-32008",
          "product_identification_helper": {
            "model_numbers": [
              "1136419"
            ]
          }
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11014"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c 2026.0.3 installed on RFC 4072S",
          "product_id": "CSAFPID-31009",
          "product_identification_helper": {
            "model_numbers": [
              "1051328"
            ]
          }
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11004"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 2026.0.3 installed on RFC 4072S",
          "product_id": "CSAFPID-32009",
          "product_identification_helper": {
            "model_numbers": [
              "1051328"
            ]
          }
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11004"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c 2026.0.3 installed on VL3 UPC 2440 EDGE",
          "product_id": "CSAFPID-31010",
          "product_identification_helper": {
            "model_numbers": [
              "1760157"
            ]
          }
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11015"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 2026.0.3 installed on VL3 UPC 2440 EDGE",
          "product_id": "CSAFPID-32010",
          "product_identification_helper": {
            "model_numbers": [
              "1760157"
            ]
          }
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11015"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c 2026.0.3 installed on VPLCNEXT CONTROL 1000",
          "product_id": "CSAFPID-31011",
          "product_identification_helper": {
            "model_numbers": [
              "1737875"
            ]
          }
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11031"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 2026.0.3 installed on VPLCNEXT CONTROL 1000",
          "product_id": "CSAFPID-32011",
          "product_identification_helper": {
            "model_numbers": [
              "1737875"
            ]
          }
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11031"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c 2026.0.3 installed on VPLCNEXT CONTROL 2000",
          "product_id": "CSAFPID-31012",
          "product_identification_helper": {
            "model_numbers": [
              " 1738453 "
            ]
          }
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11032"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 2026.0.3 installed on VPLCNEXT CONTROL 2000",
          "product_id": "CSAFPID-32012",
          "product_identification_helper": {
            "model_numbers": [
              " 1738453 "
            ]
          }
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11032"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c 2026.0.3 installed on VPLCNEXT CONTROL 3000",
          "product_id": "CSAFPID-31013",
          "product_identification_helper": {
            "model_numbers": [
              "  1738454"
            ]
          }
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11033"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 2026.0.3 installed on VPLCNEXT CONTROL 3000",
          "product_id": "CSAFPID-32013",
          "product_identification_helper": {
            "model_numbers": [
              "  1738454"
            ]
          }
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11033"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c 2026.0.3 installed on VPLCNEXT CONTROL 500",
          "product_id": "CSAFPID-31014",
          "product_identification_helper": {
            "model_numbers": [
              "1751491"
            ]
          }
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11030"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 2026.0.3 installed on VPLCNEXT CONTROL 500",
          "product_id": "CSAFPID-32014",
          "product_identification_helper": {
            "model_numbers": [
              "1751491"
            ]
          }
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11030"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-41669",
      "cwe": {
        "id": "CWE-347",
        "name": "Improper Verification of Cryptographic Signature"
      },
      "notes": [
        {
          "category": "description",
          "text": "The Web-based Management allows a remote low privileged Engineer user to install additional APPs on the device downloaded from the PLCnext Store without implementing any data verification mechanism, leading to the capability for an Engineer user to reach arbitrary code execution with root privileges on the PLC device. A successful exploitation may allow to install a manipulated APP package, potentially impacting integrity and availability of the PLCnext Control.",
          "title": "CVE Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003",
          "CSAFPID-32004",
          "CSAFPID-32005",
          "CSAFPID-32006",
          "CSAFPID-32008",
          "CSAFPID-32009",
          "CSAFPID-32010",
          "CSAFPID-32011",
          "CSAFPID-32012",
          "CSAFPID-32013",
          "CSAFPID-32014"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004",
          "CSAFPID-31005",
          "CSAFPID-31006",
          "CSAFPID-31007",
          "CSAFPID-31008",
          "CSAFPID-31009",
          "CSAFPID-31010",
          "CSAFPID-31011",
          "CSAFPID-31012",
          "CSAFPID-31013",
          "CSAFPID-31014"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N - 8.7 / High",
          "url": "https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "For firmware versions prior to 2026.0.3 apps are installed via WBM (APP Manager) without enforced authenticity validation. Verify the SHA-256 checksum provided by the PLCnext Store manually before installing an APP. Restrict WBM access to trusted IP ranges via the firewall and protect Engineer credentials. Monitor APP lifecycle security notifications locally or via a central Syslog server. If APPs are not required, disable the APP Manager service via the WBM System Services page to eliminate an unnecessary attack vector. \n\nStarting with firmware version 2026.0.3, APP signature verification is enabled by default and only signed apps can be installed.",
          "group_ids": [
            "CSAFGID-61001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to PLCnext firmware version 2026.0.3 or later where APP signature verification is enforced by default. Check regularly for firmware updates and apply them as soon as they are available for the specific device.",
          "group_ids": [
            "CSAFGID-61001"
          ],
          "restart_required": {
            "category": "system"
          }
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 8.8,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 8.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004",
            "CSAFPID-31005",
            "CSAFPID-31006",
            "CSAFPID-31007",
            "CSAFPID-31008",
            "CSAFPID-31009",
            "CSAFPID-31010",
            "CSAFPID-31011",
            "CSAFPID-31012",
            "CSAFPID-31013",
            "CSAFPID-31014"
          ]
        }
      ],
      "title": "Insufficient Verification of Data Authenticity"
    },
    {
      "cve": "CVE-2025-41670",
      "cwe": {
        "id": "CWE-427",
        "name": "Uncontrolled Search Path Element"
      },
      "notes": [
        {
          "category": "description",
          "text": "A local user with low privileges may be able to influence the behavior of a privileged system service by manipulating configuration or application-related files located in user-writable areas of the filesystem. The affected service processes data from locations that are not sufficiently protected against modification by low-privileged users. As the service runs with elevated privileges, successful exploitation may result in a local privilege escalation.",
          "title": "CVE Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003",
          "CSAFPID-32004",
          "CSAFPID-32005",
          "CSAFPID-32006",
          "CSAFPID-32007",
          "CSAFPID-32008",
          "CSAFPID-32009",
          "CSAFPID-32010",
          "CSAFPID-32011",
          "CSAFPID-32012",
          "CSAFPID-32013",
          "CSAFPID-32014"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004",
          "CSAFPID-31005",
          "CSAFPID-31006",
          "CSAFPID-31007",
          "CSAFPID-31008",
          "CSAFPID-31009",
          "CSAFPID-31010",
          "CSAFPID-31011",
          "CSAFPID-31012",
          "CSAFPID-31013",
          "CSAFPID-31014"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N - 8.5 / High",
          "url": "https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Update to PLCnext firmware version 2026.0.3 or later which fixes this vulnerability. Check regularly for firmware updates and apply them as soon as they are available for the specific device.",
          "group_ids": [
            "CSAFGID-61001"
          ],
          "restart_required": {
            "category": "system"
          }
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 7.8,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 7.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004",
            "CSAFPID-31005",
            "CSAFPID-31006",
            "CSAFPID-31007",
            "CSAFPID-31008",
            "CSAFPID-31009",
            "CSAFPID-31010",
            "CSAFPID-31011",
            "CSAFPID-31012",
            "CSAFPID-31013",
            "CSAFPID-31014"
          ]
        }
      ],
      "title": "Untrusted Search Path"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-41669 (GCVE-0-2025-41669)

FKIE_CVE-2025-41669

GHSA-M3WG-2CH3-59M2

VDE-2026-050

Tags

Sightings

Nomenclature