VDE-2026-050
Vulnerability from csaf_phoenixcontactgmbhcokg - Published: 2026-05-27 10:00 - Updated: 2026-05-27 10:00Summary
Phoenix Contact: PLCnext Firmware Security Issues Related to APPs and Configuration Files
Severity
High
Notes
General Recommendation: Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our [Application note](https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf).
Impact: Depending on the vulnerability exploited, an attacker may be able to install manipulated APPs, influence the execution of privileged services through crafted configuration files, or execute unauthorized code with elevated permissions. This may lead to a compromise of integrity and availability of the PLCnext Control. Attack vectors include network-based access via the Web-based Management interface as well as local access by authenticated low-privileged users.
Remediation: Phoenix Contact recommends updating affected devices to PLCnext firmware version 2026.0.3 or later, which addresses all vulnerabilities described in this advisory. If immediate updates are not possible, refer to the CVE-specific mitigation measures described below.
Summary: This advisory addresses security issues in PLCnext firmware versions prior to 2026.0.3 that are related to APP handling and the processing of configuration files. The identified vulnerabilities affect APP installation authenticity as well as the handling of configuration data in writable directories. Successful exploitation may allow authenticated attackers with different privilege levels to compromise integrity, availability, and system security of affected PLCnext Control. Both issues are resolved starting with PLCnext firmware version 2026.0.3.
Mitigation: The following mitigation measures are recommended. Depending on the operational environment, one or more of these measures may be applied to reduce risk:
- Install APPs only from trusted sources and manually verify the SHA-256 checksum of the downloaded APP file before installation.
- Restrict access to the Web-based Management interface to authorized users only.
- Use firewall configuration to limit access to management interfaces and required services. Firewall configuration should be used to limit network communication to required services and to supervise execution behavior.
- Protect Engineer credentials and apply strong authentication practices.
- If APP functionality is not required for operation, consider disabling the APP Manager to reduce the attack surface.
- Exploitation of CVE-2025-41670 requires local access to the device; therefore, local access should be restricted to authorized and trusted users only. The device should be operated in a secured and controlled environment to prevent unauthorized local access.
- Enable system wide Syslog Server and check local security notifications to detect unexpected APP installation, execution behavior or abnormal system activity.
- Apply the latest firmware and security updates provided by the vendor
The Web-based Management allows a remote low privileged Engineer user to install additional APPs on the device downloaded from the PLCnext Store without implementing any data verification mechanism, leading to the capability for an Engineer user to reach arbitrary code execution with root privileges on the PLC device. A successful exploitation may allow to install a manipulated APP package, potentially impacting integrity and availability of the PLCnext Control.
8.8 (High)
Mitigation
For firmware versions prior to 2026.0.3 apps are installed via WBM (APP Manager) without enforced authenticity validation. Verify the SHA-256 checksum provided by the PLCnext Store manually before installing an APP. Restrict WBM access to trusted IP ranges via the firewall and protect Engineer credentials. Monitor APP lifecycle security notifications locally or via a central Syslog server. If APPs are not required, disable the APP Manager service via the WBM System Services page to eliminate an unnecessary attack vector.
Starting with firmware version 2026.0.3, APP signature verification is enabled by default and only signed apps can be installed.
Vendor Fix
Update to PLCnext firmware version 2026.0.3 or later where APP signature verification is enforced by default. Check regularly for firmware updates and apply them as soon as they are available for the specific device.
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — | ||
| Unresolved product id: CSAFPID-32008 | — | ||
| Unresolved product id: CSAFPID-32009 | — | ||
| Unresolved product id: CSAFPID-32010 | — | ||
| Unresolved product id: CSAFPID-32011 | — | ||
| Unresolved product id: CSAFPID-32012 | — | ||
| Unresolved product id: CSAFPID-32013 | — | ||
| Unresolved product id: CSAFPID-32014 | — |
Known affected
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — | ||
| Unresolved product id: CSAFPID-31007 | — | ||
| Unresolved product id: CSAFPID-31008 | — | ||
| Unresolved product id: CSAFPID-31009 | — | ||
| Unresolved product id: CSAFPID-31010 | — | ||
| Unresolved product id: CSAFPID-31011 | — | ||
| Unresolved product id: CSAFPID-31012 | — | ||
| Unresolved product id: CSAFPID-31013 | — | ||
| Unresolved product id: CSAFPID-31014 | — |
A local user with low privileges may be able to influence the behavior of a privileged system service by manipulating configuration or application-related files located in user-writable areas of the filesystem. The affected service processes data from locations that are not sufficiently protected against modification by low-privileged users. As the service runs with elevated privileges, successful exploitation may result in a local privilege escalation.
7.8 (High)
Vendor Fix
Update to PLCnext firmware version 2026.0.3 or later which fixes this vulnerability. Check regularly for firmware updates and apply them as soon as they are available for the specific device.
Affected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — | ||
| Unresolved product id: CSAFPID-32007 | — | ||
| Unresolved product id: CSAFPID-32008 | — | ||
| Unresolved product id: CSAFPID-32009 | — | ||
| Unresolved product id: CSAFPID-32010 | — | ||
| Unresolved product id: CSAFPID-32011 | — | ||
| Unresolved product id: CSAFPID-32012 | — | ||
| Unresolved product id: CSAFPID-32013 | — | ||
| Unresolved product id: CSAFPID-32014 | — |
Known affected
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — | ||
| Unresolved product id: CSAFPID-31007 | — | ||
| Unresolved product id: CSAFPID-31008 | — | ||
| Unresolved product id: CSAFPID-31009 | — | ||
| Unresolved product id: CSAFPID-31010 | — | ||
| Unresolved product id: CSAFPID-31011 | — | ||
| Unresolved product id: CSAFPID-31012 | — | ||
| Unresolved product id: CSAFPID-31013 | — | ||
| Unresolved product id: CSAFPID-31014 | — |
References
6 references
Acknowledgments
CERT@VDE
certvde.com
Nozomi
Diego Giubertoni
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination.",
"urls": [
"https://certvde.com"
]
},
{
"names": [
"Diego Giubertoni"
],
"organization": "Nozomi",
"summary": "Reporting"
}
],
"aggregate_severity": {
"namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
"text": "High"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "general",
"text": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our [Application note](https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf).",
"title": "General Recommendation"
},
{
"category": "description",
"text": "Depending on the vulnerability exploited, an attacker may be able to install manipulated APPs, influence the execution of privileged services through crafted configuration files, or execute unauthorized code with elevated permissions. This may lead to a compromise of integrity and availability of the PLCnext Control. Attack vectors include network-based access via the Web-based Management interface as well as local access by authenticated low-privileged users.",
"title": "Impact"
},
{
"category": "description",
"text": "Phoenix Contact recommends updating affected devices to PLCnext firmware version 2026.0.3 or later, which addresses all vulnerabilities described in this advisory. If immediate updates are not possible, refer to the CVE-specific mitigation measures described below.",
"title": "Remediation"
},
{
"category": "summary",
"text": "This advisory addresses security issues in PLCnext firmware versions prior to 2026.0.3 that are related to APP handling and the processing of configuration files. The identified vulnerabilities affect APP installation authenticity as well as the handling of configuration data in writable directories. Successful exploitation may allow authenticated attackers with different privilege levels to compromise integrity, availability, and system security of affected PLCnext Control. Both issues are resolved starting with PLCnext firmware version 2026.0.3.",
"title": "Summary"
},
{
"category": "description",
"text": "The following mitigation measures are recommended. Depending on the operational environment, one or more of these measures may be applied to reduce risk:\n\n- Install APPs only from trusted sources and manually verify the SHA-256 checksum of the downloaded APP file before installation.\n- Restrict access to the Web-based Management interface to authorized users only.\n- Use firewall configuration to limit access to management interfaces and required services. Firewall configuration should be used to limit network communication to required services and to supervise execution behavior.\n- Protect Engineer credentials and apply strong authentication practices.\n- If APP functionality is not required for operation, consider disabling the APP Manager to reduce the attack surface.\n- Exploitation of CVE-2025-41670 requires local access to the device; therefore, local access should be restricted to authorized and trusted users only. The device should be operated in a secured and controlled environment to prevent unauthorized local access.\n- Enable system wide Syslog Server and check local security notifications to detect unexpected APP installation, execution behavior or abnormal system activity.\n- Apply the latest firmware and security updates provided by the vendor",
"title": "Mitigation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@phoenixcontact.com",
"name": "Phoenix Contact GmbH \u0026 Co. KG",
"namespace": "https://phoenixcontact.com/psirt"
},
"references": [
{
"category": "external",
"summary": "PCSA-2026-00005",
"url": "https://phoenixcontact.com/psirt"
},
{
"category": "external",
"summary": "Phoenix Contact advisory overview at CERT@VDE",
"url": "https://certvde.com/de/advisories/vendor/phoenixcontact"
},
{
"category": "self",
"summary": "VDE-2026-050: Phoenix Contact: PLCnext Firmware Security Issues Related to APPs and Configuration Files - HTML",
"url": "https://certvde.com/en/advisories/VDE-2026-050"
},
{
"category": "self",
"summary": "VDE-2026-050: Phoenix Contact: PLCnext Firmware Security Issues Related to APPs and Configuration Files - CSAF",
"url": "https://phoenixcontact.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-050.json"
}
],
"source_lang": "en",
"title": "Phoenix Contact: PLCnext Firmware Security Issues Related to APPs and Configuration Files",
"tracking": {
"aliases": [
"VDE-2026-050",
"PCSA-2026-00005"
],
"current_release_date": "2026-05-27T10:00:00.000Z",
"generator": {
"date": "2026-05-27T07:05:10.994Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.44"
}
},
"id": "VDE-2026-050",
"initial_release_date": "2026-05-27T10:00:00.000Z",
"revision_history": [
{
"date": "2026-05-27T10:00:00.000Z",
"number": "1.0.0",
"summary": "Initial"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "AXC F 1152",
"product": {
"name": "AXC F 1152",
"product_id": "CSAFPID-11001",
"product_identification_helper": {
"model_numbers": [
"1151412"
]
}
}
},
{
"category": "product_name",
"name": "AXC F 1252",
"product": {
"name": "AXC F 1252",
"product_id": "CSAFPID-11012",
"product_identification_helper": {
"model_numbers": [
"1646469"
]
}
}
},
{
"category": "product_name",
"name": "AXC F 2000 EA",
"product": {
"name": "AXC F 2000 EA",
"product_id": "CSAFPID-11013",
"product_identification_helper": {
"model_numbers": [
"1551772"
]
}
}
},
{
"category": "product_name",
"name": "AXC F 2152",
"product": {
"name": "AXC F 2152",
"product_id": "CSAFPID-11002",
"product_identification_helper": {
"model_numbers": [
"2404267"
]
}
}
},
{
"category": "product_name",
"name": "AXC F 3152",
"product": {
"name": "AXC F 3152",
"product_id": "CSAFPID-11003",
"product_identification_helper": {
"model_numbers": [
"1069208"
]
}
}
},
{
"category": "product_name",
"name": "BPC 9102S",
"product": {
"name": "BPC 9102S",
"product_id": "CSAFPID-11011",
"product_identification_helper": {
"model_numbers": [
"1246285"
]
}
}
},
{
"category": "product_name",
"name": "EPC 1522",
"product": {
"name": "EPC 1522",
"product_id": "CSAFPID-11016",
"product_identification_helper": {
"model_numbers": [
"1185423"
]
}
}
},
{
"category": "product_name",
"name": "RFC 4072R",
"product": {
"name": "RFC 4072R",
"product_id": "CSAFPID-11014",
"product_identification_helper": {
"model_numbers": [
"1136419"
]
}
}
},
{
"category": "product_name",
"name": "RFC 4072S",
"product": {
"name": "RFC 4072S",
"product_id": "CSAFPID-11004",
"product_identification_helper": {
"model_numbers": [
"1051328"
]
}
}
},
{
"category": "product_name",
"name": "VL3 UPC 2440 EDGE",
"product": {
"name": "VL3 UPC 2440 EDGE",
"product_id": "CSAFPID-11015",
"product_identification_helper": {
"model_numbers": [
"1760157"
]
}
}
},
{
"category": "product_name",
"name": "VPLCNEXT CONTROL 1000",
"product": {
"name": "VPLCNEXT CONTROL 1000",
"product_id": "CSAFPID-11031",
"product_identification_helper": {
"model_numbers": [
"1737875"
]
}
}
},
{
"category": "product_name",
"name": "VPLCNEXT CONTROL 2000",
"product": {
"name": "VPLCNEXT CONTROL 2000",
"product_id": "CSAFPID-11032",
"product_identification_helper": {
"model_numbers": [
" 1738453 "
]
}
}
},
{
"category": "product_name",
"name": "VPLCNEXT CONTROL 3000",
"product": {
"name": "VPLCNEXT CONTROL 3000",
"product_id": "CSAFPID-11033",
"product_identification_helper": {
"model_numbers": [
" 1738454"
]
}
}
},
{
"category": "product_name",
"name": "VPLCNEXT CONTROL 500",
"product": {
"name": "VPLCNEXT CONTROL 500",
"product_id": "CSAFPID-11030",
"product_identification_helper": {
"model_numbers": [
"1751491"
]
}
}
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:generic/\u003c2026.0.3",
"product": {
"name": "\u003c2026.0.3",
"product_id": "CSAFPID-21001",
"product_identification_helper": {
"model_numbers": [
"1151412",
"1646469",
"1551772",
"2404267",
"1069208",
"1246285",
"1185423",
"1136419",
"1051328",
"1760157",
"1737875",
"1738453",
"1738454",
"1751491"
]
}
}
},
{
"category": "product_version",
"name": "2026.0.3",
"product": {
"name": "2026.0.3",
"product_id": "CSAFPID-22001",
"product_identification_helper": {
"model_numbers": [
"1151412",
"1646469",
"1551772",
"2404267",
"1069208",
"1246285",
"1185423",
"1136419",
"1051328",
"1760157",
"1737875",
"1738453",
"1738454",
"1751491"
]
}
}
}
],
"category": "product_family",
"name": "Firmware"
}
],
"category": "vendor",
"name": "Phoenix Contact GmbH \u0026 Co. KG"
}
],
"product_groups": [
{
"group_id": "CSAFGID-61001",
"product_ids": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014"
],
"summary": "Affected Products."
},
{
"group_id": "CSAFGID-62002",
"product_ids": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006",
"CSAFPID-32008",
"CSAFPID-32009",
"CSAFPID-32010",
"CSAFPID-32011",
"CSAFPID-32012",
"CSAFPID-32013",
"CSAFPID-32014"
],
"summary": "Fixed Products."
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c 2026.0.3 installed on AXC F 1152",
"product_id": "CSAFPID-31001",
"product_identification_helper": {
"model_numbers": [
"1151412"
]
}
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2026.0.3 installed on AXC F 1152",
"product_id": "CSAFPID-32001",
"product_identification_helper": {
"model_numbers": [
"1151412"
]
}
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c 2026.0.3 installed on AXC F 1252",
"product_id": "CSAFPID-31002",
"product_identification_helper": {
"model_numbers": [
"1646469"
]
}
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11012"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2026.0.3 installed on AXC F 1252",
"product_id": "CSAFPID-32002",
"product_identification_helper": {
"model_numbers": [
"1646469"
]
}
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11012"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c 2026.0.3 installed on AXC F 2000 EA",
"product_id": "CSAFPID-31003",
"product_identification_helper": {
"model_numbers": [
"1551772"
]
}
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11013"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2026.0.3 installed on AXC F 2000 EA",
"product_id": "CSAFPID-32003",
"product_identification_helper": {
"model_numbers": [
"1551772"
]
}
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11013"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c 2026.0.3 installed on AXC F 2152",
"product_id": "CSAFPID-31004",
"product_identification_helper": {
"model_numbers": [
"2404267"
]
}
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2026.0.3 installed on AXC F 2152",
"product_id": "CSAFPID-32004",
"product_identification_helper": {
"model_numbers": [
"2404267"
]
}
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c 2026.0.3 installed on AXC F 3152",
"product_id": "CSAFPID-31005",
"product_identification_helper": {
"model_numbers": [
"1069208"
]
}
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2026.0.3 installed on AXC F 3152",
"product_id": "CSAFPID-32005",
"product_identification_helper": {
"model_numbers": [
"1069208"
]
}
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c 2026.0.3 installed on BPC 9102S",
"product_id": "CSAFPID-31006",
"product_identification_helper": {
"model_numbers": [
"1246285"
]
}
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11011"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2026.0.3 installed on BPC 9102S",
"product_id": "CSAFPID-32006",
"product_identification_helper": {
"model_numbers": [
"1246285"
]
}
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11011"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c 2026.0.3 installed on EPC 1522",
"product_id": "CSAFPID-31007",
"product_identification_helper": {
"model_numbers": [
"1185423"
]
}
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11016"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2026.0.3 installed on EPC 1522",
"product_id": "CSAFPID-32007",
"product_identification_helper": {
"model_numbers": [
"1185423"
]
}
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11016"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c 2026.0.3 installed on RFC 4072R",
"product_id": "CSAFPID-31008",
"product_identification_helper": {
"model_numbers": [
"1136419"
]
}
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11014"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2026.0.3 installed on RFC 4072R",
"product_id": "CSAFPID-32008",
"product_identification_helper": {
"model_numbers": [
"1136419"
]
}
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11014"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c 2026.0.3 installed on RFC 4072S",
"product_id": "CSAFPID-31009",
"product_identification_helper": {
"model_numbers": [
"1051328"
]
}
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11004"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2026.0.3 installed on RFC 4072S",
"product_id": "CSAFPID-32009",
"product_identification_helper": {
"model_numbers": [
"1051328"
]
}
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11004"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c 2026.0.3 installed on VL3 UPC 2440 EDGE",
"product_id": "CSAFPID-31010",
"product_identification_helper": {
"model_numbers": [
"1760157"
]
}
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11015"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2026.0.3 installed on VL3 UPC 2440 EDGE",
"product_id": "CSAFPID-32010",
"product_identification_helper": {
"model_numbers": [
"1760157"
]
}
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11015"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c 2026.0.3 installed on VPLCNEXT CONTROL 1000",
"product_id": "CSAFPID-31011",
"product_identification_helper": {
"model_numbers": [
"1737875"
]
}
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11031"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2026.0.3 installed on VPLCNEXT CONTROL 1000",
"product_id": "CSAFPID-32011",
"product_identification_helper": {
"model_numbers": [
"1737875"
]
}
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11031"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c 2026.0.3 installed on VPLCNEXT CONTROL 2000",
"product_id": "CSAFPID-31012",
"product_identification_helper": {
"model_numbers": [
" 1738453 "
]
}
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11032"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2026.0.3 installed on VPLCNEXT CONTROL 2000",
"product_id": "CSAFPID-32012",
"product_identification_helper": {
"model_numbers": [
" 1738453 "
]
}
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11032"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c 2026.0.3 installed on VPLCNEXT CONTROL 3000",
"product_id": "CSAFPID-31013",
"product_identification_helper": {
"model_numbers": [
" 1738454"
]
}
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11033"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2026.0.3 installed on VPLCNEXT CONTROL 3000",
"product_id": "CSAFPID-32013",
"product_identification_helper": {
"model_numbers": [
" 1738454"
]
}
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11033"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c 2026.0.3 installed on VPLCNEXT CONTROL 500",
"product_id": "CSAFPID-31014",
"product_identification_helper": {
"model_numbers": [
"1751491"
]
}
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11030"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 2026.0.3 installed on VPLCNEXT CONTROL 500",
"product_id": "CSAFPID-32014",
"product_identification_helper": {
"model_numbers": [
"1751491"
]
}
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11030"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-41669",
"cwe": {
"id": "CWE-347",
"name": "Improper Verification of Cryptographic Signature"
},
"notes": [
{
"category": "description",
"text": "The Web-based Management allows a remote low privileged Engineer user to install additional APPs on the device downloaded from the PLCnext Store without implementing any data verification mechanism, leading to the capability for an Engineer user to reach arbitrary code execution with root privileges on the PLC device. A successful exploitation may allow to install a manipulated APP package, potentially impacting integrity and availability of the PLCnext Control.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006",
"CSAFPID-32008",
"CSAFPID-32009",
"CSAFPID-32010",
"CSAFPID-32011",
"CSAFPID-32012",
"CSAFPID-32013",
"CSAFPID-32014"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014"
]
},
"references": [
{
"category": "external",
"summary": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N - 8.7 / High",
"url": "https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"remediations": [
{
"category": "mitigation",
"details": "For firmware versions prior to 2026.0.3 apps are installed via WBM (APP Manager) without enforced authenticity validation. Verify the SHA-256 checksum provided by the PLCnext Store manually before installing an APP. Restrict WBM access to trusted IP ranges via the firewall and protect Engineer credentials. Monitor APP lifecycle security notifications locally or via a central Syslog server. If APPs are not required, disable the APP Manager service via the WBM System Services page to eliminate an unnecessary attack vector. \n\nStarting with firmware version 2026.0.3, APP signature verification is enabled by default and only signed apps can be installed.",
"group_ids": [
"CSAFGID-61001"
]
},
{
"category": "vendor_fix",
"details": "Update to PLCnext firmware version 2026.0.3 or later where APP signature verification is enforced by default. Check regularly for firmware updates and apply them as soon as they are available for the specific device.",
"group_ids": [
"CSAFGID-61001"
],
"restart_required": {
"category": "system"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014"
]
}
],
"title": "Insufficient Verification of Data Authenticity"
},
{
"cve": "CVE-2025-41670",
"cwe": {
"id": "CWE-427",
"name": "Uncontrolled Search Path Element"
},
"notes": [
{
"category": "description",
"text": "A local user with low privileges may be able to influence the behavior of a privileged system service by manipulating configuration or application-related files located in user-writable areas of the filesystem. The affected service processes data from locations that are not sufficiently protected against modification by low-privileged users. As the service runs with elevated privileges, successful exploitation may result in a local privilege escalation.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006",
"CSAFPID-32007",
"CSAFPID-32008",
"CSAFPID-32009",
"CSAFPID-32010",
"CSAFPID-32011",
"CSAFPID-32012",
"CSAFPID-32013",
"CSAFPID-32014"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014"
]
},
"references": [
{
"category": "external",
"summary": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N - 8.5 / High",
"url": "https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Update to PLCnext firmware version 2026.0.3 or later which fixes this vulnerability. Check regularly for firmware updates and apply them as soon as they are available for the specific device.",
"group_ids": [
"CSAFGID-61001"
],
"restart_required": {
"category": "system"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014"
]
}
],
"title": "Untrusted Search Path"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…