Phoenix Contact: Directory Traversal Vulnerability in ENERGY AXC PU Web service
Plan Patch8.8VDE-2023-004Apr 11, 2023
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
A directory traversal vulnerability in the web service of Phoenix Contact industrial controllers allows authenticated users with restricted privileges to read, write, and create files anywhere on the device filesystem using specially crafted URLs through the upload and download functionality. An attacker with valid credentials can traverse the file system to access sensitive files beyond their intended directory scope.
What this means
What could happen
An authenticated user with restricted web access could read, modify, or delete critical configuration files on the controller, potentially disrupting communication with field devices, altering process logic, or compromising device security. If the attacker gains access to firmware or configuration files, they could inject malicious code or disable safety functions.
Who's at risk
Energy utilities, water authorities, and other critical infrastructure operators using Phoenix Contact's ENERGY AXC PU, SMARTRTU AXC SG, SMARTRTU AXC IG, or Infobox controllers as gateway devices or remote terminal units (RTUs) in networked environments should assess whether they have these products deployed.
How it could be exploited
An attacker with a valid restricted user account on the web frontend can craft specially formatted URLs using the upload or download functions to traverse the file directory structure (e.g., using ../ sequences) and access system files outside the normal user-accessible directories. By reading or modifying configuration files, network settings, or firmware components, the attacker could alter device behavior or gain higher privileges.
Prerequisites
- Valid restricted user credentials for the web frontend
- Network access to the web service port on the device
- Knowledge of file system paths or ability to guess directory traversal sequences
Requires valid credentials but no admin privilege neededHigh impact on confidentiality and integrityAffects critical infrastructure gateway and RTU devicesMultiple products with no fix planned
Affected products (4)
2 with fix2 EOL
ProductAffected VersionsFix Status
ENERGY AXC PU<V04.15.00.00V04.15.00.01
Infobox*≤ V02.02.00.00No fix (EOL)
SMARTRTU AXC SG≤ V01.08.00.02V01.09.00.00
SMARTRTU AXC IG≤ V01.02.00.01No fix (EOL)
Remediation & Mitigation
0/6
Do now
0/4SMARTRTU AXC IG
HARDENINGPlace SMARTRTU AXC IG and Infobox devices in a closed network isolated from untrusted users, or protect with a firewall that restricts access to the web service port
All products
HARDENINGRestrict network access to the web service port (typically port 80/443) to only trusted engineering workstations and management systems using firewall rules
HARDENINGReview and enforce strong, unique passwords for all web frontend user accounts; disable or remove any default credentials
WORKAROUNDDisable the upload and download functionality in the web service if not actively used
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
ENERGY AXC PU
HOTFIXUpdate ENERGY AXC PU to firmware version V04.15.00.01 or later
SMARTRTU AXC SG
HOTFIXUpdate SMARTRTU AXC SG to firmware version V01.09.00.00 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/d5c4bba5-61ee-46fd-b39f-5f8395df6e7b