Phoenix Contact: Security Advisory for ESL Stick USB-A
MonitorCVSS 4.2VDE-2025-005Jan 14, 2025
Phoenix Contact
Attack path
Attack VectorPhysical
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
A vulnerability exists in a cryptographic library within the firmware of ESL STICK USB A devices. The vulnerability affects ECDSA signature calculation using ECC keys. Exploitation requires physical access and special equipment, making it a complex attack. Affected versions are prior to 4.5.2.
What this means
What could happen
An attacker with physical access to an ESL STICK USB A device and specialized equipment could potentially forge or compromise cryptographic signatures, potentially allowing unauthorized access to systems that rely on these devices for authentication or integrity verification.
Who's at risk
Organizations using Phoenix Contact ESL STICK USB A devices for cryptographic authentication or digital signature operations should assess their exposure. This particularly affects industrial automation environments where these dongles are used for secure access to engineering workstations, HMIs, or configuration systems.
How it could be exploited
An attacker must obtain physical possession of the ESL STICK USB A device and use specialized equipment to extract or manipulate the cryptographic key material stored on the device. This would allow them to forge ECDSA signatures that could be used to authenticate as a legitimate user or system.
Prerequisites
- Physical access to the ESL STICK USB A device
- Specialized hardware equipment to extract or manipulate cryptographic material
- Knowledge of the target system's signature verification process
physical access requiredlow complexity of exploitation given physical accessaffects cryptographic integrityaffects authentication systems
Exploitability
Unlikely to be exploited — EPSS score 0.3%
Affected products (1)
ProductAffected VersionsFix Status
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate ESL STICK USB A devices to firmware version 4.5.2 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/5a26ecac-dfb6-432b-92a0-7b0c77bf286dGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.