Phoenix Contact TC ROUTER and TC CLOUD CLIENT
Act Now9.6ICS-CERT ICSA-23-250-02Sep 7, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Phoenix Contact TC ROUTER and TC CLOUD CLIENT devices contain cross-site scripting (XSS) and path traversal vulnerabilities (CWE-79, CWE-776) in their web interfaces. Successful exploitation could execute code in the context of a user's browser or cause denial of service. The vulnerabilities affect TC ROUTER 3002T-4G variants and TC CLOUD CLIENT 1002-4G variants at versions before 2.07.2, and CLOUD CLIENT 1101T-TX/TX at versions before 2.06.10.
What this means
What could happen
An attacker could execute malicious code in a user's browser session when they access the device web interface, potentially stealing session credentials or altering device configuration. Alternatively, an attacker could cause the device to become unavailable, disrupting remote management and monitoring of your industrial network.
Who's at risk
Water utilities and electric utilities operating Phoenix Contact TC ROUTER and TC CLOUD CLIENT devices for remote cellular gateway and cloud connectivity functions. These devices are commonly deployed in distribution automation, SCADA, and remote site management for substations, pumping stations, and water treatment facilities. Organizations using these for OT network connectivity and remote engineering access are at risk.
How it could be exploited
An attacker could craft a malicious URL containing XSS payload or path traversal sequences and trick an engineering workstation operator into clicking it while logged into the device's web interface. Alternatively, if the device is exposed to the internet without authentication controls, an attacker could directly send malicious requests to trigger denial of service.
Prerequisites
- User interaction required: An authorized user (engineering staff) must click a malicious link or visit a crafted URL
- Network access to the device's web interface (typically port 80/443)
- For XSS exploitation: Active session in the device's web interface
Remotely exploitable over networkUser interaction required (reduces but does not eliminate risk)No patch available (vendor fix not released)High CVSS score (9.6)Affects management/engineering interfaces used for control system access
Exploitability
Low exploit probability (EPSS 0.6%)
Affected products (7)
7 with fix
ProductAffected VersionsFix Status
TC ROUTER 3002T-4G: < 2.07.2< 2.07.22.07.2
TC CLOUD CLIENT 1002-4G: < 2.07.2< 2.07.22.07.2
TC CLOUD CLIENT 1002-4G ATT: < 2.07.2< 2.07.22.07.2
CLOUD CLIENT 1101T-TX/TX: < 2.06.10< 2.06.102.06.10
TC ROUTER 3002T-4G ATT: < 2.07.2< 2.07.22.07.2
TC ROUTER 3002T-4G VZW: < 2.07.2< 2.07.22.07.2
TC CLOUD CLIENT 1002-4G VZW: < 2.07.2< 2.07.22.07.2
Remediation & Mitigation
0/6
Do now
0/3HARDENINGRestrict network access to the device's web management interface using firewall rules. Only allow connections from designated engineering workstations and block all external/internet access.
HARDENINGRequire VPN or secure tunnel (SSH, IPSec) for any remote engineering access to these devices. Do not expose the web interface directly to the internet or untrusted networks.
HARDENINGEducate operators and engineering staff not to click on links in unsolicited emails that purport to be from the device or management system. Verify any alerts through direct contact with known management channels.
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HARDENINGSegment the network so that TC ROUTER and TC CLOUD CLIENT devices are isolated from business networks and the internet. Use a DMZ or dedicated out-of-band management network if remote access is needed.
HARDENINGMonitor and log all access to the device web interface. Alert on repeated failed login attempts or unusual query strings in HTTP requests.
HOTFIXWhen vendor releases patched firmware (versions 2.07.2 or later for TC ROUTER/TC CLOUD CLIENT 1002-4G, or 2.06.10 for CLOUD CLIENT 1101T-TX/TX), upgrade during scheduled maintenance window.
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/3fd21ce2-8ee2-46d8-9dc2-540b25d70687