VDE-2025-072

Vulnerability from csaf_phoenixcontactgmbhcokg - Published: 2025-10-14 06:00 - Updated: 2025-10-14 06:00
Summary
Phoenix Contact: Security Advisory for QUINT4-UPS EIP
Severity
High
Notes
Summary: Multiple vulnerabilities were discovered in the firmware of QUINT4-UPS EIP devices that can be used by an unauthenticated remote attacker to perform Denial of Service attacks and to gather login credentials for the Webfrontend.
Impact: A successful attack can lead to Denial of Service or exposure of credentials.
Mitigation: Affected devices are designed and developed for the use in closed industrial networks. Phoenix Contact therefore strongly recommends using the devices exclusively in closed networks and protected by a suitable firewall.
Remediation: Starting with version VC:07, all newly shipped devices will include firmware updates that address four vulnerabilities: CVE-2025-41704, CVE-2025-41705, CVE-2025-41706, and CVE-2025-41707. However, configuration of devices via unauthenticated Modbus/TCP remains possible in VC:07, as this protocol is a widely used standard in the industrial sector. As a result, VC:07 is still affected by CVE-2025-41703.
Product description: Uninterruptible power supplies with an EIP interface.
General Recommendation: For general information and recommendations on security measures to protect network-enabled devices, refer to the application note: [Application Note Security](https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf).
CVE-2025-41703

An unauthenticated remote attacker can cause a Denial of Service by turning off the output of the UPS via Modbus command.

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-306 - Missing Authentication for Critical Function
Mitigation This product was designed for use in closed industrial networks. Phoenix Contact strongly recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our [application note](https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf). In the industrial sector it is common practice to use Modbus/TCP without authentication.
Affected products
Product Identifier Version Remediation
QUINT4-UPS/24DC/24DC/5/EIP VC:00<VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/5/EIP
 2906994 VC:00<VC:07
No Fix Planned
QUINT4-UPS/24DC/24DC/10/EIP VC:00<VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/10/EIP
 2907069 VC:00<VC:07
No Fix Planned
QUINT4-UPS/24DC/24DC/20/EIP VC:00<VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/20/EIP
 2907074 VC:00<VC:07
No Fix Planned
QUINT4-UPS/24DC/24DC/40/EIP VC:00<VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/40/EIP
 2907080 VC:00<VC:07
No Fix Planned
QUINT4-UPS/24DC/24DC/5/EIP VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/5/EIP
 2906994 VC:07
No Fix Planned
QUINT4-UPS/24DC/24DC/10/EIP VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/10/EIP
 2907069 VC:07
No Fix Planned
QUINT4-UPS/24DC/24DC/20/EIP VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/20/EIP
 2907074 VC:07
No Fix Planned
QUINT4-UPS/24DC/24DC/40/EIP VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/40/EIP
 2907080 VC:07
No Fix Planned
CVE-2025-41704

An unauthanticated remote attacker can perform a DoS of the Modbus service by sending a specific function and sub-function code without affecting the core functionality.

5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE-770 - Allocation of Resources Without Limits or Throttling
Mitigation This product was designed for use in closed industrial networks. Phoenix Contact strongly recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our [application note](https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf).
Vendor Fix Starting with VC:07 the affected devices will be shipped with a fixed firmware.
Affected products
Product Identifier Version Remediation
QUINT4-UPS/24DC/24DC/5/EIP VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/5/EIP
 2906994 VC:07
QUINT4-UPS/24DC/24DC/10/EIP VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/10/EIP
 2907069 VC:07
QUINT4-UPS/24DC/24DC/20/EIP VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/20/EIP
 2907074 VC:07
QUINT4-UPS/24DC/24DC/40/EIP VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/40/EIP
 2907080 VC:07
Product Identifier Version Remediation
QUINT4-UPS/24DC/24DC/5/EIP VC:00<VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/5/EIP
 2906994 VC:00<VC:07
QUINT4-UPS/24DC/24DC/10/EIP VC:00<VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/10/EIP
 2907069 VC:00<VC:07
QUINT4-UPS/24DC/24DC/20/EIP VC:00<VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/20/EIP
 2907074 VC:00<VC:07
QUINT4-UPS/24DC/24DC/40/EIP VC:00<VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/40/EIP
 2907080 VC:00<VC:07
CVE-2025-41705

An unauthenticated remote attacker (MITM) can intercept the websocket messages to gain access to the login credentials for the Webfrontend.

6.8 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE-523 - Unprotected Transport of Credentials
Mitigation This product was designed for use in closed industrial networks. Phoenix Contact strongly recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our [application note](https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf).
Vendor Fix Starting with VC:07 the affected devices will be shipped with a fixed firmware.
Affected products
Product Identifier Version Remediation
QUINT4-UPS/24DC/24DC/5/EIP VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/5/EIP
 2906994 VC:07
QUINT4-UPS/24DC/24DC/10/EIP VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/10/EIP
 2907069 VC:07
QUINT4-UPS/24DC/24DC/20/EIP VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/20/EIP
 2907074 VC:07
QUINT4-UPS/24DC/24DC/40/EIP VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/40/EIP
 2907080 VC:07
Product Identifier Version Remediation
QUINT4-UPS/24DC/24DC/5/EIP VC:00<VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/5/EIP
 2906994 VC:00<VC:07
QUINT4-UPS/24DC/24DC/10/EIP VC:00<VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/10/EIP
 2907069 VC:00<VC:07
QUINT4-UPS/24DC/24DC/20/EIP VC:00<VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/20/EIP
 2907074 VC:00<VC:07
QUINT4-UPS/24DC/24DC/40/EIP VC:00<VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/40/EIP
 2907080 VC:00<VC:07
CVE-2025-41706

The webserver is vulnerable to a denial of service condition. An unauthenticated remote attacker can craft a special GET request with an over-long content-length to trigger the issue without affecting the core functionality.

5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Mitigation This product was designed for use in closed industrial networks. Phoenix Contact strongly recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our [application note](https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf).
Vendor Fix Starting with VC:07 the affected devices will be shipped with a fixed firmware.
Affected products
Product Identifier Version Remediation
QUINT4-UPS/24DC/24DC/5/EIP VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/5/EIP
 2906994 VC:07
QUINT4-UPS/24DC/24DC/10/EIP VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/10/EIP
 2907069 VC:07
QUINT4-UPS/24DC/24DC/20/EIP VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/20/EIP
 2907074 VC:07
QUINT4-UPS/24DC/24DC/40/EIP VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/40/EIP
 2907080 VC:07
Product Identifier Version Remediation
QUINT4-UPS/24DC/24DC/5/EIP VC:00<VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/5/EIP
 2906994 VC:00<VC:07
QUINT4-UPS/24DC/24DC/10/EIP VC:00<VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/10/EIP
 2907069 VC:00<VC:07
QUINT4-UPS/24DC/24DC/20/EIP VC:00<VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/20/EIP
 2907074 VC:00<VC:07
QUINT4-UPS/24DC/24DC/40/EIP VC:00<VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/40/EIP
 2907080 VC:00<VC:07
CVE-2025-41707

The websocket handler is vulnerable to a denial of service condition. An unauthenticated remote attacker can send a crafted websocket message to trigger the issue without affecting the core functionality.

5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Mitigation This product was designed for use in closed industrial networks. Phoenix Contact strongly recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our [application note](https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf).
Vendor Fix Starting with VC:07 the affected devices will be shipped with a fixed firmware.
Affected products
Product Identifier Version Remediation
QUINT4-UPS/24DC/24DC/5/EIP VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/5/EIP
 2906994 VC:07
QUINT4-UPS/24DC/24DC/10/EIP VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/10/EIP
 2907069 VC:07
QUINT4-UPS/24DC/24DC/20/EIP VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/20/EIP
 2907074 VC:07
QUINT4-UPS/24DC/24DC/40/EIP VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/40/EIP
 2907080 VC:07
Product Identifier Version Remediation
QUINT4-UPS/24DC/24DC/5/EIP VC:00<VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/5/EIP
 2906994 VC:00<VC:07
QUINT4-UPS/24DC/24DC/10/EIP VC:00<VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/10/EIP
 2907069 VC:00<VC:07
QUINT4-UPS/24DC/24DC/20/EIP VC:00<VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/20/EIP
 2907074 VC:00<VC:07
QUINT4-UPS/24DC/24DC/40/EIP VC:00<VC:07
Phoenix Contact / Hardware / QUINT4-UPS/24DC/24DC/40/EIP
 2907080 VC:00<VC:07
References
Acknowledgments
CERTVDE certvde.com/en/
CyberDanube Security Research D. Blagojevic S. Dietz F. Koroknai T. Weber
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERTVDE",
        "summary": "Coordination",
        "urls": [
          "https://certvde.com/en/"
        ]
      },
      {
        "names": [
          "D. Blagojevic",
          "S. Dietz",
          "F. Koroknai",
          "T. Weber"
        ],
        "organization": "CyberDanube Security Research",
        "summary": "Reporting"
      }
    ],
    "aggregate_severity": {
      "namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
      "text": "High"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "Multiple vulnerabilities were discovered in the firmware of QUINT4-UPS EIP devices that can be used by an unauthenticated remote attacker to perform Denial of Service attacks and to gather login credentials for the Webfrontend.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "A successful attack can lead to Denial of Service or exposure of credentials.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "Affected devices are designed and developed for the use in closed industrial networks. Phoenix Contact therefore strongly recommends using the devices exclusively in closed networks and protected by a suitable firewall.",
        "title": "Mitigation"
      },
      {
        "category": "description",
        "text": "Starting with version VC:07, all newly shipped devices will include firmware updates that address four vulnerabilities: CVE-2025-41704, CVE-2025-41705, CVE-2025-41706, and CVE-2025-41707.\n\nHowever, configuration of devices via unauthenticated Modbus/TCP remains possible in VC:07, as this protocol is a widely used standard in the industrial sector. As a result, VC:07 is still affected by CVE-2025-41703.",
        "title": "Remediation"
      },
      {
        "category": "description",
        "text": "Uninterruptible power supplies with an EIP interface.",
        "title": "Product description"
      },
      {
        "category": "general",
        "text": "For general information and recommendations on security measures to protect network-enabled devices, refer to the application note: [Application Note Security](https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf).",
        "title": "General Recommendation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@phoenixcontact.com",
      "name": "Phoenix Contact GmbH \u0026 Co. KG",
      "namespace": "https://phoenixcontact.com/psirt"
    },
    "references": [
      {
        "category": "self",
        "summary": "VDE-2025-072: Phoenix Contact: Security Advisory for QUINT4-UPS EIP - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2025-072/"
      },
      {
        "category": "external",
        "summary": "Phoenix Contact advisory overview at CERT@VDE",
        "url": "https://certvde.com/de/advisories/vendor/phoenixcontact/"
      },
      {
        "category": "external",
        "summary": "PCSA-2025-00013",
        "url": "https://phoenixcontact.com/psirt"
      },
      {
        "category": "self",
        "summary": "VDE-2025-072: Phoenix Contact: Security Advisory for QUINT4-UPS EIP - CSAF",
        "url": "https://phoenixcontact.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-072.json"
      }
    ],
    "title": "Phoenix Contact: Security Advisory for QUINT4-UPS EIP",
    "tracking": {
      "aliases": [
        "VDE-2025-072",
        "PCSA-2025-00013"
      ],
      "current_release_date": "2025-10-14T06:00:00.000Z",
      "generator": {
        "date": "2025-10-02T10:44:33.155Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.36"
        }
      },
      "id": "VDE-2025-072",
      "initial_release_date": "2025-10-14T06:00:00.000Z",
      "revision_history": [
        {
          "date": "2025-10-14T06:00:00.000Z",
          "number": "1.0.0",
          "summary": "Initial revision."
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "VC:00\u003cVC:07",
                    "product": {
                      "name": "QUINT4-UPS/24DC/24DC/5/EIP VC:00\u003cVC:07",
                      "product_id": "CSAFPID-11001",
                      "product_identification_helper": {
                        "model_numbers": [
                          "2906994"
                        ]
                      }
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "VC:07",
                    "product": {
                      "name": "QUINT4-UPS/24DC/24DC/5/EIP VC:07",
                      "product_id": "CSAFPID-12001",
                      "product_identification_helper": {
                        "model_numbers": [
                          "2906994"
                        ]
                      }
                    }
                  }
                ],
                "category": "product_name",
                "name": "QUINT4-UPS/24DC/24DC/5/EIP"
              },
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "VC:00\u003cVC:07",
                    "product": {
                      "name": "QUINT4-UPS/24DC/24DC/10/EIP VC:00\u003cVC:07",
                      "product_id": "CSAFPID-11002",
                      "product_identification_helper": {
                        "model_numbers": [
                          "2907069"
                        ]
                      }
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "VC:07",
                    "product": {
                      "name": "QUINT4-UPS/24DC/24DC/10/EIP VC:07",
                      "product_id": "CSAFPID-12002",
                      "product_identification_helper": {
                        "model_numbers": [
                          "2907069"
                        ]
                      }
                    }
                  }
                ],
                "category": "product_name",
                "name": "QUINT4-UPS/24DC/24DC/10/EIP"
              },
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "VC:00\u003cVC:07",
                    "product": {
                      "name": "QUINT4-UPS/24DC/24DC/20/EIP VC:00\u003cVC:07",
                      "product_id": "CSAFPID-11003",
                      "product_identification_helper": {
                        "model_numbers": [
                          "2907074"
                        ]
                      }
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "VC:07",
                    "product": {
                      "name": "QUINT4-UPS/24DC/24DC/20/EIP VC:07",
                      "product_id": "CSAFPID-12003",
                      "product_identification_helper": {
                        "model_numbers": [
                          "2907074"
                        ]
                      }
                    }
                  }
                ],
                "category": "product_name",
                "name": "QUINT4-UPS/24DC/24DC/20/EIP"
              },
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "VC:00\u003cVC:07",
                    "product": {
                      "name": "QUINT4-UPS/24DC/24DC/40/EIP VC:00\u003cVC:07",
                      "product_id": "CSAFPID-11004",
                      "product_identification_helper": {
                        "model_numbers": [
                          "2907080"
                        ]
                      }
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "VC:07",
                    "product": {
                      "name": "QUINT4-UPS/24DC/24DC/40/EIP VC:07",
                      "product_id": "CSAFPID-12004",
                      "product_identification_helper": {
                        "model_numbers": [
                          "2907080"
                        ]
                      }
                    }
                  }
                ],
                "category": "product_name",
                "name": "QUINT4-UPS/24DC/24DC/40/EIP"
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          }
        ],
        "category": "vendor",
        "name": "Phoenix Contact"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-11001",
          "CSAFPID-11002",
          "CSAFPID-11003",
          "CSAFPID-11004",
          "CSAFPID-12001",
          "CSAFPID-12002",
          "CSAFPID-12003",
          "CSAFPID-12004"
        ],
        "summary": "Affected Products."
      },
      {
        "group_id": "CSAFGID-0002",
        "product_ids": [
          "CSAFPID-12001",
          "CSAFPID-12002",
          "CSAFPID-12003",
          "CSAFPID-12004"
        ],
        "summary": "Fixed Products. (CVE-2025-41704, CVE-2025-41705, CVE-2025-41706, CVE-2025-41707)"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-41703",
      "cwe": {
        "id": "CWE-306",
        "name": "Missing Authentication for Critical Function"
      },
      "notes": [
        {
          "category": "description",
          "text": "An unauthenticated remote attacker can cause a Denial of Service by turning off the output of the UPS via Modbus command.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-11001",
          "CSAFPID-11002",
          "CSAFPID-11003",
          "CSAFPID-11004",
          "CSAFPID-12001",
          "CSAFPID-12002",
          "CSAFPID-12003",
          "CSAFPID-12004"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "This product was designed for use in closed industrial networks. Phoenix Contact strongly recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our [application note](https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf). \n\nIn the industrial sector it is common practice to use Modbus/TCP without authentication.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        },
        {
          "category": "no_fix_planned",
          "details": "Configuration via unauthenticated modbus commands is a commonly used feature in the industrial sector. It is necessary take appropriate steps in the application to limit modbus access to the device. ",
          "product_ids": [
            "CSAFPID-11001",
            "CSAFPID-11002",
            "CSAFPID-11003",
            "CSAFPID-11004",
            "CSAFPID-12001",
            "CSAFPID-12002",
            "CSAFPID-12003",
            "CSAFPID-12004"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "environmentalScore": 7.5,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 7.5,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-11001",
            "CSAFPID-11002",
            "CSAFPID-11003",
            "CSAFPID-11004",
            "CSAFPID-12001",
            "CSAFPID-12002",
            "CSAFPID-12003",
            "CSAFPID-12004"
          ]
        }
      ],
      "title": "Phoenix Contact: UPS Shutdown via Unauthenticated Modbus Command"
    },
    {
      "cve": "CVE-2025-41704",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "description",
          "text": "An unauthanticated remote attacker can perform a DoS of the Modbus service by sending a specific function  and sub-function code without affecting the core functionality.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-12001",
          "CSAFPID-12002",
          "CSAFPID-12003",
          "CSAFPID-12004"
        ],
        "known_affected": [
          "CSAFPID-11001",
          "CSAFPID-11002",
          "CSAFPID-11003",
          "CSAFPID-11004"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "This product was designed for use in closed industrial networks. Phoenix Contact strongly recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our [application note](https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf). ",
          "group_ids": [
            "CSAFGID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Starting with VC:07 the affected devices will be shipped with a fixed firmware. ",
          "group_ids": [
            "CSAFGID-0002"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "environmentalScore": 5.3,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 5.3,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-11001",
            "CSAFPID-11002",
            "CSAFPID-11003",
            "CSAFPID-11004"
          ]
        }
      ],
      "title": "Phoenix Contact: Unauthenticated Modbus Service DoS via Crafted Function Code"
    },
    {
      "cve": "CVE-2025-41705",
      "cwe": {
        "id": "CWE-523",
        "name": "Unprotected Transport of Credentials"
      },
      "notes": [
        {
          "category": "description",
          "text": "An unauthenticated remote\nattacker (MITM) can intercept the websocket messages to gain access to the login credentials for the Webfrontend.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-12001",
          "CSAFPID-12002",
          "CSAFPID-12003",
          "CSAFPID-12004"
        ],
        "known_affected": [
          "CSAFPID-11001",
          "CSAFPID-11002",
          "CSAFPID-11003",
          "CSAFPID-11004"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "This product was designed for use in closed industrial networks. Phoenix Contact strongly recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our [application note](https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf). ",
          "group_ids": [
            "CSAFGID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Starting with VC:07 the affected devices will be shipped with a fixed firmware. ",
          "group_ids": [
            "CSAFGID-0002"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 6.8,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 6.8,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-11001",
            "CSAFPID-11002",
            "CSAFPID-11003",
            "CSAFPID-11004"
          ]
        }
      ],
      "title": "Phoenix Contact: WebSocket Message Interception Leaks Webfrontend Credentials"
    },
    {
      "cve": "CVE-2025-41706",
      "cwe": {
        "id": "CWE-120",
        "name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
      },
      "notes": [
        {
          "category": "description",
          "text": "The webserver is vulnerable to a denial of service condition. An unauthenticated remote attacker can craft a special GET request with an over-long content-length to trigger the issue without affecting the core functionality.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-12001",
          "CSAFPID-12002",
          "CSAFPID-12003",
          "CSAFPID-12004"
        ],
        "known_affected": [
          "CSAFPID-11001",
          "CSAFPID-11002",
          "CSAFPID-11003",
          "CSAFPID-11004"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "This product was designed for use in closed industrial networks. Phoenix Contact strongly recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our [application note](https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf). \n",
          "group_ids": [
            "CSAFGID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Starting with VC:07 the affected devices will be shipped with a fixed firmware. ",
          "group_ids": [
            "CSAFGID-0002"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "environmentalScore": 5.3,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 5.3,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-11001",
            "CSAFPID-11002",
            "CSAFPID-11003",
            "CSAFPID-11004"
          ]
        }
      ],
      "title": "Phoenix Contact: Webserver Denial of Service through Malformed Content-Length"
    },
    {
      "cve": "CVE-2025-41707",
      "cwe": {
        "id": "CWE-120",
        "name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
      },
      "notes": [
        {
          "category": "description",
          "text": "The websocket handler is vulnerable to a denial of service condition. An unauthenticated remote attacker can send a crafted websocket message to trigger the issue without affecting the core functionality.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-12001",
          "CSAFPID-12002",
          "CSAFPID-12003",
          "CSAFPID-12004"
        ],
        "known_affected": [
          "CSAFPID-11001",
          "CSAFPID-11002",
          "CSAFPID-11003",
          "CSAFPID-11004"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "This product was designed for use in closed industrial networks. Phoenix Contact strongly recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our [application note](https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf). \n",
          "group_ids": [
            "CSAFGID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Starting with VC:07 the affected devices will be shipped with a fixed firmware. ",
          "group_ids": [
            "CSAFGID-0002"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "environmentalScore": 5.3,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 5.3,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-11001",
            "CSAFPID-11002",
            "CSAFPID-11003",
            "CSAFPID-11004"
          ]
        }
      ],
      "title": "Phoenix Contact: WebSocket Handler Denial of Service"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.