8.8
CVE-2025-41669
- EPSS 0.22%
- Veröffentlicht 27.05.2026 07:18:28
- Zuletzt bearbeitet 27.05.2026 14:53:22
- Quelle info@cert.vde.com
- CVE-Watchlists
- Unerledigt
Insufficient Verification of Data Authenticity
The Web-based Management allows a remote low privileged Engineer user to install additional APPs on the device downloaded from the PLCnext Store without implementing any data verification mechanism, leading to the capability for an Engineer user to reach arbitrary code execution with root privileges on the PLC device. A successful exploitation may allow to install a manipulated APP package, potentially impacting integrity and availability of the PLCnext Control.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerPhoenix Contact
≫
Produkt
AXC F 1152
Default Statusunaffected
Version
0.0.0
Version <
2026.0.3
Status
affected
HerstellerPhoenix Contact
≫
Produkt
AXC F 1252
Default Statusunaffected
Version
0.0.0
Version <
2026.0.3
Status
affected
HerstellerPhoenix Contact
≫
Produkt
AXC F 2000 EA
Default Statusunaffected
Version
0.0.0
Version <
2026.0.3
Status
affected
HerstellerPhoenix Contact
≫
Produkt
AXC F 2152
Default Statusunaffected
Version
0.0.0
Version <
2026.0.3
Status
affected
HerstellerPhoenix Contact
≫
Produkt
AXC F 3152
Default Statusunaffected
Version
0.0.0
Version <
2026.0.3
Status
affected
HerstellerPhoenix Contact
≫
Produkt
BPC 9102S
Default Statusunaffected
Version
0.0.0
Version <
2026.0.3
Status
affected
HerstellerPhoenix Contact
≫
Produkt
EPC 1522
Default Statusunaffected
Version
0.0.0
Version <
2026.0.3
Status
affected
HerstellerPhoenix Contact
≫
Produkt
RFC 4072R
Default Statusunaffected
Version
0.0.0
Version <
2026.0.3
Status
affected
HerstellerPhoenix Contact
≫
Produkt
RFC 4072S
Default Statusunaffected
Version
0.0.0
Version <
2026.0.3
Status
affected
HerstellerPhoenix Contact
≫
Produkt
VL3 UPC 2440 EDGE
Default Statusunaffected
Version
0.0.0
Version <
2026.0.3
Status
affected
HerstellerPhoenix Contact
≫
Produkt
VPLCNEXT CONTROL 1000
Default Statusunaffected
Version
0.0.0
Version <
2026.0.3
Status
affected
HerstellerPhoenix Contact
≫
Produkt
VPLCNEXT CONTROL 2000
Default Statusunaffected
Version
0.0.0
Version <
2026.0.3
Status
affected
HerstellerPhoenix Contact
≫
Produkt
VPLCNEXT CONTROL 3000
Default Statusunaffected
Version
0.0.0
Version <
2026.0.3
Status
affected
HerstellerPhoenix Contact
≫
Produkt
VPLCNEXT CONTROL 500
Default Statusunaffected
Version
0.0.0
Version <
2026.0.3
Status
affected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.22% | 0.12 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| info@cert.vde.com | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| info@cert.vde.com | 8.7 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-347 Improper Verification of Cryptographic Signature
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
https://www.certvde.com/en/advisories/VDE-2026-050/