Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware
Act Now9.8VDE-2025-053Jul 8, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple vulnerabilities in Phoenix Contact PLCnext firmware affect AXC F 1152, AXC F 2152, AXC F 3152, RFC 4072S, and BPC 9102S controllers. Vulnerabilities include resource exhaustion, path traversal, denial of service, memory corruption, command injection, and unsafe operations in underlying Linux components. A remote, unauthenticated attacker could execute arbitrary code, modify files, or crash the controller.
What this means
What could happen
An attacker could run arbitrary commands on affected PLCnext controllers without authentication, potentially modifying program logic, altering process setpoints, or stopping production operations entirely. These controllers are critical to manufacturing automation and any compromise could halt facility operations.
Who's at risk
Manufacturing facilities using Phoenix Contact PLCnext automation controllers (AXC F 1152, AXC F 2152, AXC F 3152, RFC 4072S, BPC 9102S) as primary process controllers. This includes discrete manufacturing, automotive, chemical, food & beverage, and any facility relying on these controllers for production line management or critical operations.
How it could be exploited
An attacker with network access to the PLCnext controller could send a specially crafted request to exploit one of the multiple vulnerabilities in the Linux components. No authentication is required; the attack could come from anywhere on your network or (if the device is internet-facing) from the internet.
Prerequisites
- Network reachability to the affected PLCnext controller
- No authentication required
remotely exploitableno authentication requiredlow complexityhigh EPSS score (62.7%)affects critical manufacturing controllersmultiple vulnerability types (code execution, path traversal, DoS, memory corruption)
Exploitability
High exploit probability (EPSS 62.7%)
Affected products (5)
5 with fix
ProductAffected VersionsFix Status
AXC F 1152<2025.0.22025.0.2
AXC F 2152<2025.0.22025.0.2
AXC F 3152<2025.0.22025.0.2
RFC 4072S<2025.0.22025.0.2
BPC 9102S<2025.0.22025.0.2
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDRestrict network access to PLCnext controllers by implementing firewall rules to block traffic from untrusted networks
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate all affected PLCnext controllers to firmware version 2025.0.2 or later
HOTFIXUpdate PLCnext Engineer software to the latest version
Long-term hardening
0/1HARDENINGSegment PLCnext controllers on a dedicated OT network isolated from general IT and internet access
CVEs (54)
CVE-2024-12705CVE-2025-24965CVE-2025-0665CVE-2025-0167CVE-2024-11053CVE-2024-9681CVE-2024-0684CVE-2024-52533CVE-2020-16120CVE-2023-7256CVE-2024-8006CVE-2024-8176CVE-2024-50602CVE-2024-10918CVE-2024-12133CVE-2025-27113CVE-2024-25062CVE-2024-5742CVE-2025-26466CVE-2025-26465CVE-2024-6119CVE-2024-9143CVE-2024-5535CVE-2024-28882CVE-2024-5594CVE-2019-20633CVE-2019-13638CVE-2019-13636CVE-2018-1000156CVE-2018-20969CVE-2018-6951CVE-2018-6952CVE-2024-9341CVE-2023-27043CVE-2024-9287CVE-2024-6232CVE-2024-6345CVE-2024-12084CVE-2024-12085CVE-2024-12086CVE-2024-12087CVE-2024-12088CVE-2024-12747CVE-2022-0530CVE-2022-0529CVE-2021-4217CVE-2018-1000035CVE-2018-18384CVE-2016-9844CVE-2019-13232CVE-2015-7696CVE-2015-7697CVE-2024-38428CVE-2024-10524
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/00cff1b0-0bc1-4bb9-8992-52301d62742e