8.8

CVE-2025-41669

Insufficient Verification of Data Authenticity

The Web-based Management allows a remote low privileged Engineer user to install additional APPs on the device downloaded from the PLCnext Store without implementing any data verification mechanism, leading to the capability for an Engineer user to reach arbitrary code execution with root privileges on the PLC device. A successful exploitation may allow to install a manipulated APP package, potentially impacting integrity and availability of the PLCnext Control.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerPhoenix Contact
Produkt AXC F 1152
Default Statusunaffected
Version 0.0.0
Version < 2026.0.3
Status affected
HerstellerPhoenix Contact
Produkt AXC F 1252
Default Statusunaffected
Version 0.0.0
Version < 2026.0.3
Status affected
HerstellerPhoenix Contact
Produkt AXC F 2000 EA
Default Statusunaffected
Version 0.0.0
Version < 2026.0.3
Status affected
HerstellerPhoenix Contact
Produkt AXC F 2152
Default Statusunaffected
Version 0.0.0
Version < 2026.0.3
Status affected
HerstellerPhoenix Contact
Produkt AXC F 3152
Default Statusunaffected
Version 0.0.0
Version < 2026.0.3
Status affected
HerstellerPhoenix Contact
Produkt BPC 9102S
Default Statusunaffected
Version 0.0.0
Version < 2026.0.3
Status affected
HerstellerPhoenix Contact
Produkt EPC 1522
Default Statusunaffected
Version 0.0.0
Version < 2026.0.3
Status affected
HerstellerPhoenix Contact
Produkt RFC 4072R
Default Statusunaffected
Version 0.0.0
Version < 2026.0.3
Status affected
HerstellerPhoenix Contact
Produkt RFC 4072S
Default Statusunaffected
Version 0.0.0
Version < 2026.0.3
Status affected
HerstellerPhoenix Contact
Produkt VL3 UPC 2440 EDGE
Default Statusunaffected
Version 0.0.0
Version < 2026.0.3
Status affected
HerstellerPhoenix Contact
Produkt VPLCNEXT CONTROL 1000
Default Statusunaffected
Version 0.0.0
Version < 2026.0.3
Status affected
HerstellerPhoenix Contact
Produkt VPLCNEXT CONTROL 2000
Default Statusunaffected
Version 0.0.0
Version < 2026.0.3
Status affected
HerstellerPhoenix Contact
Produkt VPLCNEXT CONTROL 3000
Default Statusunaffected
Version 0.0.0
Version < 2026.0.3
Status affected
HerstellerPhoenix Contact
Produkt VPLCNEXT CONTROL 500
Default Statusunaffected
Version 0.0.0
Version < 2026.0.3
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.22% 0.12
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
info@cert.vde.com 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
info@cert.vde.com 8.7 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.