PHOENIX CONTACT: Products utilizing WIBU SYSTEMS CodeMeter components in versions prior to V7.21a

Monitor6.1VDE-2021-036Aug 4, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

A vulnerability in WIBU SYSTEMS CodeMeter components (versions prior to V7.21a) used by Phoenix Contact products allows attackers to conduct cross-site scripting (XSS) and information disclosure attacks. The CmLAN network server and CmWAN server, if enabled, can be exploited via network connections without authentication. Affected products include Activation Wizard, E-Mobility Charging Suite, FL Network Manager, IOL-CONF, and PLCNEXT ENGINEER EDU LIC.

What this means

What could happen

An attacker could inject malicious scripts into the CodeMeter interface or intercept sensitive information if the network servers are enabled, potentially compromising the configuration of charging infrastructure, network management, or engineering workstations. This could disrupt EV charging operations or allow unauthorized changes to network and automation settings.

Who's at risk

Manufacturing facilities and utilities operating Phoenix Contact automation and charging products are affected. This includes organizations using Activation Wizard, E-Mobility Charging Suite for EV charging infrastructure, FL Network Manager for industrial network management, IOL-CONF for IO-Link configuration, and PLCNEXT ENGINEER for engineering tasks. Any site with CodeMeter-dependent licensing on networked or internet-connected systems is at risk.

How it could be exploited

An attacker on the network sends a crafted request to the exposed CmLAN or CmWAN server ports without authentication, injecting JavaScript code or extracting configuration data. If CmWAN is internet-facing, this can be exploited remotely. The XSS can be triggered through the web interface of any affected Phoenix Contact product that uses CodeMeter.

Prerequisites

Network access to CmLAN port (if network server is enabled)
Network access to CmWAN port (if CmWAN is enabled)
No authentication required for exploitation
User interaction (UI-dependent) to trigger XSS payload delivery

remotely exploitableno authentication requiredlow complexityaffects industrial automation and charging infrastructuredefault server configuration may enable vulnerable services

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

Activation Wizard <=1.4≤ 1.4Fix available

E-Mobility Charging Suite license codes for EV Charging Suite Setup <=1.7.3≤ 1.7.3Fix available

FL Network Manager <=5.0≤ 5.0Fix available

IOL-CONF <=1.7.0≤ 1.7.0Fix available

PLCNEXT ENGINEER EDU LIC <=2021.06≤ 2021.06Fix available

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDDisable the CodeMeter CmLAN network server or bind it to localhost only (127.0.0.1) to prevent remote access

WORKAROUNDDisable the CodeMeter CmWAN server if it is not required for operations

HARDENINGApply host-based firewall rules to restrict access to CmLAN port (default 22350) and CmWAN port to only authorized sources or localhost

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade CodeMeter to version V7.21a or later on all affected Phoenix Contact products

HARDENINGIf CmWAN must be enabled, place it behind a reverse proxy with authentication and restrict firewall access to only the reverse proxy server

CVEs (2)

CVE-2021-20994 CVE-2021-20993

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4b0134ae-671c-4ef2-995e-ee6a6db579db