Phoenix Contact: Multiple vulnerabilities in WP 6xxx Web panels

Act Now10VDE-2023-018Aug 8, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple critical vulnerabilities in Phoenix Contact WP 6xxx web panels allow unauthenticated attackers to read arbitrary files from the device, inject and execute arbitrary commands, and bypass authentication or access control mechanisms. The vulnerabilities stem from hardcoded session and encryption keys, missing firmware update signature verification, insufficient access controls, and a service running with unnecessary elevated privileges. All WP 6xxx models (WP 6070-WVPS, WP 6101-WXPS, WP 6121-WXPS, WP 6156-WHPS, WP 6185-WHPS, WP 6215-WHPS) with firmware versions prior to 4.0.10 are affected.

What this means

What could happen

An attacker with network access to a WP 6xxx web panel could read arbitrary files from the device, execute commands as an elevated user, bypass authentication, or download unauthorized firmware—potentially gaining full control of the device and any industrial processes it controls.

Who's at risk

Mid-size industrial facilities operating Phoenix Contact WP 6xxx web panels (including WP 6070-WVPS, WP 6101-WXPS, WP 6121-WXPS, WP 6156-WHPS, WP 6185-WHPS, WP 6215-WHPS) for machine monitoring, data visualization, or control interface tasks. Affects water authorities, utilities, and manufacturing plants that use these panels for real-time process visibility or remote operation.

How it could be exploited

An attacker can connect to the device's web interface over the network without credentials. By exploiting hardcoded session/encryption keys, missing authentication, missing firmware signature verification, or command injection flaws, the attacker gains file read and command execution capabilities, which can be chained to fully compromise the device.

Prerequisites

Network access to the WP 6xxx device's web interface (port 80/443 typical)
No authentication required to exploit most vulnerabilities
Device running firmware version prior to 4.0.10

Remotely exploitableNo authentication requiredLow complexity exploitationHigh CVSS score (10.0)Affects control system interfaceHardcoded credentials/keysMissing firmware signature verificationService privilege escalation possible

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

WP 6070-WVPS<4.0.104.0.10

WP 6101-WXPS<4.0.104.0.10

WP 6121-WXPS<4.0.104.0.10

WP 6156-WHPS<4.0.104.0.10

WP 6185-WHPS<4.0.104.0.10

WP 6215-WHPS<4.0.104.0.10

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGIsolate all WP 6xxx web panels in a closed/protected network segment behind a firewall; restrict network access to only authorized engineering workstations and control systems

HARDENINGDisable or restrict direct internet access to WP 6xxx devices; implement network segmentation to prevent untrusted systems from reaching the device

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WP 6070-WVPS

HOTFIXUpdate all WP 6xxx web panels (WP 6070-WVPS, WP 6101-WXPS, WP 6121-WXPS, WP 6156-WHPS, WP 6185-WHPS, WP 6215-WHPS) to firmware version 4.0.10 or later

CVEs (14)

CVE-2023-37858 CVE-2023-37857 CVE-2023-37856 CVE-2023-37855 CVE-2023-3573 CVE-2023-3572 CVE-2023-3571 CVE-2023-3570 CVE-2023-37864 CVE-2023-37863 CVE-2023-37862 CVE-2023-37861 CVE-2023-37860 CVE-2023-37859

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/56089729-a41d-4bc9-9aaa-51966829c2e6