CVE-2025-41669
Insufficient Verification of Data Authenticity
Vexday Risk Score
21Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 8.7EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —
Ciclo de vida
27 mai 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
The Web-based Management allows a remote low privileged Engineer user to install additional APPs on the device downloaded from the PLCnext Store without implementing any data verification mechanism, leading to the capability for an Engineer user to reach arbitrary code execution with root privileges on the PLC device. A successful exploitation may allow to install a manipulated APP package, potentially impacting integrity and availability of the PLCnext Control.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Produtos afetados
Phoenix Contact · AXC F 1152Phoenix Contact · AXC F 1252Phoenix Contact · AXC F 2000 EAPhoenix Contact · AXC F 2152Phoenix Contact · AXC F 3152Phoenix Contact · BPC 9102SPhoenix Contact · EPC 1522Phoenix Contact · RFC 4072RPhoenix Contact · RFC 4072SPhoenix Contact · VL3 UPC 2440 EDGEPhoenix Contact · VPLCNEXT CONTROL 1000Phoenix Contact · VPLCNEXT CONTROL 2000Phoenix Contact · VPLCNEXT CONTROL 3000Phoenix Contact · VPLCNEXT CONTROL 500Quer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →