OTPulse

PHOENIX CONTACT: Multiple vulnerabilities in RAD-ISM-900-EN-BD devices

Plan PatchCVSS 9.1VDE-2022-018May 11, 2022
Phoenix Contact
Attack path
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary

Multiple critical vulnerabilities exist in RAD-ISM-900-EN-BD remote access devices across firmware and third-party libraries: - BusyBox version 0.60.1 contains 13 known vulnerabilities affecting NTP and DHCP services - OpenSSL version 0.9.7-beta3 uses deprecated ciphers and has over 87 known vulnerabilities - The web application runs with root privileges, meaning any code execution achieved through the web interface would execute at the highest system privilege level The device family is end-of-life and Phoenix Contact will not release security updates. Mitigation relies entirely on network isolation and firewall protection.

What this means
What could happen
The RAD-ISM-900-EN-BD remote access device contains multiple critical vulnerabilities in outdated libraries (BusyBox, OpenSSL) and runs its web application as root. An attacker who gains access to the web interface could execute arbitrary commands with full system privileges, potentially compromising network operations and connected systems.
Who's at risk
This affects any organization using Phoenix Contact RAD-ISM-900-EN-BD remote access/industrial modem devices for remote management or monitoring of industrial networks. These devices are commonly deployed in electric utilities, water authorities, and manufacturing plants for remote diagnostics and access to control systems. All hardware variants (EN-BD, EN-BD-BUS, EN-BD/B) are affected.
How it could be exploited
An attacker on the network could target the web application interface running on the device. If they exploit a vulnerability in the web application (or in underlying libraries like OpenSSL), they could achieve remote code execution. Because the web application runs as root, any command execution would have the highest system privileges, allowing the attacker to alter device configuration, intercept traffic, or pivot to other systems.
Prerequisites
  • Network access to the web interface port of the RAD-ISM-900-EN-BD device
  • High privileges or ability to exploit a web application vulnerability to bypass authentication
  • Device must be reachable from the attacker's network position
remotely exploitableno authentication required (for library vulnerabilities)low complexityno patch availabledefault/root privilege executionaffects industrial access devices
Exploitability
Unlikely to be exploited — EPSS score 0.8%
Affected products (3)
3 EOL
ProductAffected VersionsFix Status
RAD-ISM-900-EN-BDAll versionsNo fix (EOL)
RAD-ISM-900-EN-BD-BUSAll versionsNo fix (EOL)
RAD-ISM-900-EN-BD/BAll versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/3
RAD-ISM-900-EN-BD
HARDENINGIsolate RAD-ISM-900-EN-BD devices to a secure, closed network segment with restricted access from the general corporate network.
HARDENINGDeploy a firewall rule to restrict access to the RAD-ISM-900-EN-BD web interface (typically port 80/443) to only authorized engineering workstations and administrative networks.
All products
WORKAROUNDDisable remote access to the device web interface if local access from secured equipment is sufficient for your operations.
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: RAD-ISM-900-EN-BD, RAD-ISM-900-EN-BD-BUS, RAD-ISM-900-EN-BD/B. Apply the following compensating controls:
HARDENINGContact Phoenix Contact support to discuss replacement or migration to a supported device model, as RAD-ISM-900-EN-BD is end-of-life and will not receive security patches.
View full CERT@VDE advisory
API: /api/v1/advisories/e08d7f7b-686b-49bc-9740-b2e69f86a557

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

PHOENIX CONTACT: Multiple vulnerabilities in RAD-ISM-900-EN-BD devices | CVSS 9.1 - OTPulse