VDE-2025-064
Vulnerability from csaf_phoenixcontactgmbhcokg - Published: 2025-09-09 07:00 - Updated: 2025-09-09 07:00Summary
Phoenix Contact: Products utilizing WIBU-SYSTEMS CodeMeter Runtime Windows Installer have a privilege escalation
Severity
High
Notes
Summary: A local privilege escalation vulnerability in Phoenix Contact products utilizing WIBU-SYSTEMS CodeMeter Runtime allows users to gain admin rights on freshly installed systems. The CodeMeter Control Center starts with elevated privileges and retains them until restarted, enabling unauthorized access to admin tools like cmd.exe.
Impact: The effect is that CodeMeter Control Center can be launched once as administrator and will remain with these privileges until it is either manually closed or the user is logged out. In this case a malicious user can navigate, for example, to C:\Windows\System32\ and right-click on cmd.exe and select "open", thus getting an administrator console. This vulnerability only affects freshly installed systems until CodeMeter Control Center is restarted.
Remediation: PHOENIX CONTACT strongly recommends affected users to upgrade to CodeMeter V8.30a, which fixes these vulnerabilities. WIBU-SYSTEMS has already published this update for CodeMeter on their homepage. Since this current version of CodeMeter V8.30a has not yet been incorporated into Phoenix Contact products, we strongly recommend to download and install the current CodeMeter version directly from the WIBU-SYSTEMS homepage.
Additional Recommendations:
Regularly check the product's official webpage for updated release versions that support CodeMeter V8.30a.
Update the Activation Wizard to version 1.8 as soon as it becomes available on the product's download page.
General Recommendation: Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our [application note](https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf).
Mitigation: After installing the CodeMeter Control Center (at least once), please perform one of the following actions:
- Restart your system
- Log-out and log-in in
- Manually close or restart the CodeMeter Control Center via the system tray icon
These steps must be followed immediately after installing the CodeMeter Runtime or any product that includes the CodeMeter Runtime.
Wibu CodeMeter before 8.30a sometimes allows privilege escalation immediately after installation (before a logoff or reboot). For exploitation, there must have been an unprivileged installation with UAC, and the CodeMeter Control Center component must be installed, and the CodeMeter Control Center component must not have been restarted. In this scenario, the local user can navigate from Import License to a privileged instance of Windows Explorer.
8.2 (High)
Vendor Fix
PHOENIX CONTACT strongly recommends affected users to upgrade to CodeMeter V8.30a, which fixes these vulnerabilities. WIBU-SYSTEMS has already published this update for CodeMeter on their homepage. Since this current version of CodeMeter V8.30a has not yet been incorporated into Phoenix Contact products, we strongly recommend to download and install the current CodeMeter version directly from the WIBU-SYSTEMS homepage.
Additional Recommendations:
Regularly check the product's official webpage for updated release versions that support CodeMeter V8.30a.
Update the Activation Wizard to version 1.8 as soon as it becomes available on the product's download page.
Mitigation
After installing the CodeMeter Control Center (at least once), please perform one of the following actions:
- Restart your system
- Log-out and log-in in
- Manually close or restart the CodeMeter Control Center via the system tray icon
These steps must be followed immediately after installing the CodeMeter Runtime or any product that includes the CodeMeter Runtime.
References
Acknowledgments
CERT@VDE
certvde.com
WIBU-SYSTEMS
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination.",
"urls": [
"https://certvde.com"
]
},
{
"organization": "WIBU-SYSTEMS",
"summary": "reporting."
}
],
"aggregate_severity": {
"namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
"text": "High"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "A local privilege escalation vulnerability in Phoenix Contact products utilizing WIBU-SYSTEMS CodeMeter Runtime allows users to gain admin rights on freshly installed systems. The CodeMeter Control Center starts with elevated privileges and retains them until restarted, enabling unauthorized access to admin tools like cmd.exe.",
"title": "Summary"
},
{
"category": "description",
"text": "The effect is that CodeMeter Control Center can be launched once as administrator and will remain with these privileges until it is either manually closed or the user is logged out. In this case a malicious user can navigate, for example, to C:\\Windows\\System32\\ and right-click on cmd.exe and select \"open\", thus getting an administrator console. This vulnerability only affects freshly installed systems until CodeMeter Control Center is restarted.",
"title": "Impact"
},
{
"category": "description",
"text": "PHOENIX CONTACT strongly recommends affected users to upgrade to CodeMeter V8.30a, which fixes these vulnerabilities. WIBU-SYSTEMS has already published this update for CodeMeter on their homepage. Since this current version of CodeMeter V8.30a has not yet been incorporated into Phoenix Contact products, we strongly recommend to download and install the current CodeMeter version directly from the WIBU-SYSTEMS homepage.\n\nAdditional Recommendations:\nRegularly check the product\u0027s official webpage for updated release versions that support CodeMeter V8.30a.\nUpdate the Activation Wizard to version 1.8 as soon as it becomes available on the product\u0027s download page.",
"title": "Remediation"
},
{
"category": "general",
"text": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our [application note](https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf).",
"title": "General Recommendation"
},
{
"category": "description",
"text": "After installing the CodeMeter Control Center (at least once), please perform one of the following actions:\n- Restart your system\n- Log-out and log-in in\n- Manually close or restart the CodeMeter Control Center via the system tray icon\n\n These steps must be followed immediately after installing the CodeMeter Runtime or any product that includes the CodeMeter Runtime.\n\n\n\n",
"title": "Mitigation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@phoenixcontact.com",
"name": "Phoenix Contact GmbH \u0026 Co. KG",
"namespace": "https://phoenixcontact.com/psirt"
},
"references": [
{
"category": "external",
"summary": "PCSA-2025-00011",
"url": "https://phoenixcontact.com/psirt"
},
{
"category": "external",
"summary": "Phoenix Contact advisory overview at CERT@VDE",
"url": "https://certvde.com/de/advisories/vendor/phoenixcontact/"
},
{
"category": "external",
"summary": "Phoenix Contact application note",
"url": "https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf"
},
{
"category": "self",
"summary": "VDE-2025-064: Phoenix Contact: Products utilizing WIBU-SYSTEMS CodeMeter Runtime Windows Installer have a privilege escalation - HTML",
"url": "https://certvde.com/en/advisories/VDE-2025-064"
},
{
"category": "self",
"summary": "VDE-2025-064: Phoenix Contact: Products utilizing WIBU-SYSTEMS CodeMeter Runtime Windows Installer have a privilege escalation - CSAF",
"url": "https://phoenixcontact.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-064.json"
}
],
"source_lang": "en",
"title": "Phoenix Contact: Products utilizing WIBU-SYSTEMS CodeMeter Runtime Windows Installer have a privilege escalation",
"tracking": {
"aliases": [
"VDE-2025-064",
"PCSA-2025-00011"
],
"current_release_date": "2025-09-09T07:00:00.000Z",
"generator": {
"date": "2025-09-05T10:26:08.025Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.33"
}
},
"id": "VDE-2025-064",
"initial_release_date": "2025-09-09T07:00:00.000Z",
"revision_history": [
{
"date": "2025-09-09T07:00:00.000Z",
"number": "1",
"summary": "Initial"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "Activation Wizard\u003c1.8",
"product": {
"name": "Activation Wizard \u003c1.8",
"product_id": "CSAFPID-51001"
}
},
{
"category": "product_version",
"name": "Activation Wizard 1.8",
"product": {
"name": "Activation Wizard 1.8",
"product_id": "CSAFPID-52001"
}
},
{
"category": "product_version_range",
"name": "PLCnext Engineer\u003c2025.0.3",
"product": {
"name": "PLCnext Engineer \u003c2025.0.3",
"product_id": "CSAFPID-51002",
"product_identification_helper": {
"model_numbers": [
"1046008"
]
}
}
},
{
"category": "product_version",
"name": "PLCnext Engineer 2025.0.3",
"product": {
"name": "PLCnext Engineer 2025.0.3",
"product_id": "CSAFPID-52002",
"product_identification_helper": {
"model_numbers": [
"1046008"
]
}
}
},
{
"category": "product_version_range",
"name": "PLCnext Engineer EDU LIC\u003c2025.0.3",
"product": {
"name": "PLCnext Engineer EDU LIC \u003c2025.0.3",
"product_id": "CSAFPID-51003",
"product_identification_helper": {
"model_numbers": [
"1165889"
]
}
}
},
{
"category": "product_version",
"name": "PLCnext Engineer EDU LIC 2025.0.3",
"product": {
"name": "PLCnext Engineer EDU LIC 2025.0.3",
"product_id": "CSAFPID-52003",
"product_identification_helper": {
"model_numbers": [
"1165889"
]
}
}
},
{
"category": "product_version_range",
"name": "FL Network Manager\u003c=8.0",
"product": {
"name": "FL Network Manager \u003c=8.0",
"product_id": "CSAFPID-51004",
"product_identification_helper": {
"model_numbers": [
"2702889"
]
}
}
},
{
"category": "product_version",
"name": "FL Network Manager 9.0",
"product": {
"name": "FL Network Manager 9.0",
"product_id": "CSAFPID-52004",
"product_identification_helper": {
"model_numbers": [
"2702889"
]
}
}
},
{
"category": "product_version_range",
"name": "EV Charging Suite (all versions)\u003c=1.7.0",
"product": {
"name": "EV Charging Suite (all versions) \u003c=1.7.0",
"product_id": "CSAFPID-51005",
"product_identification_helper": {
"model_numbers": [
"1153509",
"1153508",
"1128335",
"1086929",
"1086921",
"1086920"
]
}
}
},
{
"category": "product_version_range",
"name": "EV Charging Suite (all upgrades)\u003c=1.7.0",
"product": {
"name": "EV Charging Suite (all upgrades) \u003c=1.7.0",
"product_id": "CSAFPID-51006",
"product_identification_helper": {
"model_numbers": [
"1153520",
"1153516",
"1153513",
"1086891",
"1086889"
]
}
}
},
{
"category": "product_version_range",
"name": "CLIPX ENGINEER ASSEMBLE\u003c=1.0.0",
"product": {
"name": "CLIPX ENGINEER ASSEMBLE \u003c=1.0.0",
"product_id": "CSAFPID-51007",
"product_identification_helper": {
"model_numbers": [
"1662166"
]
}
}
},
{
"category": "product_version",
"name": "CLIPX ENGINEER ASSEMBLE 1.2.0",
"product": {
"name": "CLIPX ENGINEER ASSEMBLE 1.2.0",
"product_id": "CSAFPID-52007",
"product_identification_helper": {
"model_numbers": [
"1662166"
]
}
}
},
{
"category": "product_version_range",
"name": "MLnext Execution\u003c=1.1.3",
"product": {
"name": "MLnext Execution \u003c=1.1.3",
"product_id": "CSAFPID-51012",
"product_identification_helper": {
"model_numbers": [
"1391115"
]
}
}
},
{
"category": "product_version",
"name": "MLnext Execution 25.8.0",
"product": {
"name": "MLnext Execution 25.8.0",
"product_id": "CSAFPID-52008",
"product_identification_helper": {
"model_numbers": [
"1391115"
]
}
}
},
{
"category": "product_version_range",
"name": "MTP DESIGNER / MTP DESIGNER TRAIL\u003c=1.3.1",
"product": {
"name": "MTP DESIGNER / MTP DESIGNER TRAIL \u003c=1.3.1",
"product_id": "CSAFPID-51009",
"product_identification_helper": {
"model_numbers": [
"1636198",
"1636201"
]
}
}
},
{
"category": "product_version",
"name": "MTP DESIGNER / MTP DESIGNER TRAIL 1.3.2",
"product": {
"name": "MTP DESIGNER / MTP DESIGNER TRAIL 1.3.2",
"product_id": "CSAFPID-52009",
"product_identification_helper": {
"model_numbers": [
"1636198",
"1636201"
]
}
}
},
{
"category": "product_name",
"name": "MORYX-Software Platform",
"product": {
"name": "MORYX-Software Platform",
"product_id": "CSAFPID-51010",
"product_identification_helper": {
"model_numbers": [
"1373907",
"1373909",
"1373233",
"1373910",
"1373226",
"1373236",
"1373231",
"1373224",
"1373913",
"1373912",
"1373238",
"1373914",
"1373915",
"1373916",
"1373917",
"1373918",
"1373908",
"1550573",
"1550576",
"1550581",
"1550587",
"1550580",
"1550582",
"1532628",
"1550574",
"1550589"
]
}
}
},
{
"category": "product_version_range",
"name": "MLnext Creation\u003c=24.10.0",
"product": {
"name": "MLnext Creation \u003c=24.10.0",
"product_id": "CSAFPID-51011",
"product_identification_helper": {
"model_numbers": [
"1697763"
]
}
}
},
{
"category": "product_version",
"name": "MLnext Creation 25.8.0",
"product": {
"name": "MLnext Creation 25.8.0",
"product_id": "CSAFPID-52011",
"product_identification_helper": {
"model_numbers": [
"1697763"
]
}
}
}
],
"category": "product_family",
"name": "CodeMeter Runtime licensed Software"
}
],
"category": "vendor",
"name": "Phoenix Contact GmbH \u0026 Co. KG"
}
],
"product_groups": [
{
"group_id": "CSAFGID-61001",
"product_ids": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51012",
"CSAFPID-51009",
"CSAFPID-31001",
"CSAFPID-51011"
],
"summary": "Affected Products."
},
{
"group_id": "CSAFGID-62001",
"product_ids": [
"CSAFPID-52002",
"CSAFPID-52003",
"CSAFPID-52001"
],
"summary": "Fixed Products."
}
],
"relationships": [
{
"category": "installed_with",
"full_product_name": {
"name": "Activation Wizard \u003c1.8 installed with MORYX-Software Platform",
"product_id": "CSAFPID-31001"
},
"product_reference": "CSAFPID-51001",
"relates_to_product_reference": "CSAFPID-51010"
},
{
"category": "installed_with",
"full_product_name": {
"name": "Activation Wizard 1.8 installed with MORYX-Software Platform",
"product_id": "CSAFPID-32001"
},
"product_reference": "CSAFPID-52001",
"relates_to_product_reference": "CSAFPID-51010"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47809",
"cwe": {
"id": "CWE-272",
"name": "Least Privilege Violation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Wibu CodeMeter before 8.30a sometimes allows privilege escalation immediately after installation (before a logoff or reboot). For exploitation, there must have been an unprivileged installation with UAC, and the CodeMeter Control Center component must be installed, and the CodeMeter Control Center component must not have been restarted. In this scenario, the local user can navigate from Import License to a privileged instance of Windows Explorer.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-52002",
"CSAFPID-52003",
"CSAFPID-52001"
],
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51012",
"CSAFPID-31001",
"CSAFPID-51011"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "PHOENIX CONTACT strongly recommends affected users to upgrade to CodeMeter V8.30a, which fixes these vulnerabilities. WIBU-SYSTEMS has already published this update for CodeMeter on their homepage. Since this current version of CodeMeter V8.30a has not yet been incorporated into Phoenix Contact products, we strongly recommend to download and install the current CodeMeter version directly from the WIBU-SYSTEMS homepage.\n\nAdditional Recommendations:\nRegularly check the product\u0027s official webpage for updated release versions that support CodeMeter V8.30a.\nUpdate the Activation Wizard to version 1.8 as soon as it becomes available on the product\u0027s download page.",
"group_ids": [
"CSAFGID-61001"
]
},
{
"category": "mitigation",
"details": "After installing the CodeMeter Control Center (at least once), please perform one of the following actions:\n- Restart your system\n- Log-out and log-in in\n- Manually close or restart the CodeMeter Control Center via the system tray icon\n\n These steps must be followed immediately after installing the CodeMeter Runtime or any product that includes the CodeMeter Runtime.",
"group_ids": [
"CSAFGID-61001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.3,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"temporalScore": 8.2,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51012",
"CSAFPID-31001",
"CSAFPID-51011"
]
}
],
"title": "CVE-2025-47809"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…