PHOENIX CONTACT: Advisory for TC ROUTER and CLOUD CLIENT
Plan Patch8.8VDE-2022-053Mar 7, 2023
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Two vulnerabilities exist in TC Router 4000 series and Cloud Client 2000 series devices running firmware version 4.5.7x.107 and earlier. The web administration interface is vulnerable to path traversal attacks and OS command injection via unvalidated user input. Authenticated attackers can upload or delete arbitrary files and execute OS commands, potentially disrupting network routing, facility connectivity, or enabling lateral movement.
What this means
What could happen
An authenticated attacker with admin access to the web interface could upload or delete arbitrary files on the device, or run OS commands to alter routing and network configurations. This could disrupt connectivity for the entire facility or allow lateral movement to other systems.
Who's at risk
Water utilities, municipalities, and industrial facilities that use Phoenix Contact TC Router 4000 series or Cloud Client 2000 series devices for network connectivity and routing. Any organization relying on these devices for WAN, cellular (4G), or WiFi connectivity to remote sites or cloud services is affected.
How it could be exploited
An attacker with valid admin credentials accesses the web administration interface and submits specially crafted input containing path traversal sequences (e.g., "../../../") to escape the intended directory. The unvalidated input is then used to upload malicious files, delete critical files, or execute arbitrary OS commands on the router.
Prerequisites
- Valid admin credentials for the web administration interface
- Network access to the web administration port on the TC Router or Cloud Client device
- Device must be running vulnerable firmware version 4.5.7x.107 or earlier
Remotely exploitable via web interfaceRequires valid admin credentialsLow complexity to exploit once authenticatedPath traversal and command injection flawsHigh CVSS score (8.8)Affects network routing and connectivity devices
Affected products (6)
6 with fix
ProductAffected VersionsFix Status
CLOUD CLIENT 2002T-4G EU <4.5.73.107<4.5.73.1074.6.7x.101
CLOUD CLIENT 2002T-WLAN <4.5.73.107<4.5.73.1074.6.7x.101
CLOUD CLIENT 2102T-4G EU WLAN <4.5.73.107<4.5.73.1074.6.7x.101
TC ROUTER 4002T-4G EU <4.5.72.107<4.5.72.1074.6.7x.101
TC ROUTER 4102T-4G EU WLAN <4.5.72.107<4.5.72.1074.6.7x.101
TC ROUTER 4202T-4G EU WLAN <4.5.72.107<4.5.72.1074.6.7x.101
Remediation & Mitigation
0/5
Do now
0/2WORKAROUNDRestrict network access to the web administration interface to trusted management networks or jump hosts only
HARDENINGImplement firewall rules to block unauthorized access to the device's web administration port from untrusted networks
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate firmware to version 4.6.7x.101 or later for all affected TC Router and Cloud Client devices
Long-term hardening
0/2HARDENINGEnforce strong, unique admin passwords and consider using certificate-based authentication if available
HARDENINGSegment the management network from production OT networks using firewalls or VLANs
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/cdd4413c-966d-44f7-b9f0-3f2dfc42c5b2