PHOENIX CONTACT: TC Router and TC Cloud Client multiple vulnerabilities
Plan Patch8.8VDE-2020-003Mar 5, 2020
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Multiple code injection and hardcoded credential vulnerabilities (CWE-94, CWE-78, CWE-798) exist in Phoenix Contact TC Router and TC Cloud Client devices. These allow an attacker with valid user credentials to execute arbitrary code. The devices ship with a generic pre-installed X.509 certificate that should be replaced with an individual certificate during setup. Affected products: TC Cloud Client 1002-4G variants (≤2.03.17) and TC Cloud Client 1002-TXTX (≤1.03.17); TC Router 2002T-3G and 3002T-4G variants (≤2.05.3).
What this means
What could happen
An attacker with network access and valid user credentials could run arbitrary code on the TC Router or TC Cloud Client, potentially altering communications settings, redirecting traffic, or disrupting remote connectivity for critical infrastructure operations.
Who's at risk
Water and electric utilities using Phoenix Contact TC Router or TC Cloud Client devices for remote network connectivity and management should prioritize this update. These devices are commonly deployed in SCADA networks and field sites to provide remote engineering access and cellular/broadband connectivity to control systems. Affected organizations include small to mid-size water authorities, municipal electric utilities, and industrial facilities relying on these routers for remote operations.
How it could be exploited
An attacker with valid user credentials and network access to the web interface could exploit code injection vulnerabilities (CWE-94, CWE-78) to execute arbitrary commands on the device. The advisory also indicates hardcoded credentials issues (CWE-798), which could allow an attacker to gain initial authenticated access if default credentials are not changed during setup.
Prerequisites
- Valid user credentials for the web management interface
- Network access to the device's management port (typically HTTP/HTTPS)
- Device running vulnerable firmware version (TC Cloud Client ≤2.03.17 or TC Router ≤2.05.3)
- Ability to send HTTP requests to the management interface
Remotely exploitableRequires valid credentials (reduces but does not eliminate risk)Affects remote management and communications infrastructureHigh CVSS score (8.8)Code execution capability (CWE-78, CWE-94)
Affected products (8)
8 with fix
ProductAffected VersionsFix Status
TC CLOUD CLIENT 1002-4G≤ 2.03.172.03.18
TC CLOUD CLIENT 1002-4G ATT≤ 2.03.172.03.18
TC CLOUD CLIENT 1002-4G VZW≤ 2.03.172.03.18
TC CLOUD CLIENT 1002-TXTX≤ 1.03.171.03.18
TC ROUTER 2002T-3G≤ 2.05.32.05.4
TC ROUTER 3002T-4G≤ 2.05.32.05.4
TC ROUTER 3002T-4G ATT≤ 2.05.32.05.4
TC ROUTER 3002T-4G VZW≤ 2.05.32.05.4
Remediation & Mitigation
0/7
Do now
0/3HARDENINGReplace the pre-installed generic X.509 certificate with an individual certificate during initial configuration (use the renewal function or upload a custom certificate)
HARDENINGChange default user credentials to strong, unique passwords immediately after device deployment
WORKAROUNDRestrict network access to the device management interface to authorized engineering networks only using firewall rules
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
TC CLOUD CLIENT 1002-4G
HOTFIXUpdate TC Cloud Client 1002-4G (all variants) to firmware version 2.03.18 or later
TC CLOUD CLIENT 1002-TXTX
HOTFIXUpdate TC Cloud Client 1002-TXTX to firmware version 1.03.18 or later
TC ROUTER 2002T-3G
HOTFIXUpdate TC Router 2002T-3G to firmware version 2.05.4 or later
TC ROUTER 3002T-4G
HOTFIXUpdate TC Router 3002T-4G (all variants) to firmware version 2.05.4 or later
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/cac15cf7-e7a7-4d53-a2ed-46c61f60f802