Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

Act NowCVSS 9.8VDE-2025-053Jul 8, 2025

Phoenix ContactManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple Linux component vulnerabilities have been identified in PLCnext Firmware affecting the AXC F 1152, AXC F 2152, AXC F 3152, RFC 4072S, and BPC 9102S controllers. The vulnerabilities span resource exhaustion (CWE-770, CWE-835), path traversal (CWE-22), buffer overflows (CWE-122, CWE-120, CWE-787), permission/privilege issues (CWE-266, CWE-697), memory safety issues (CWE-415, CWE-416, CWE-476, CWE-772), command injection (CWE-78, CWE-77), unsafe deserialization (CWE-94), and other input validation flaws. All affect controllers running firmware versions prior to 2025.0.2. The vulnerabilities allow remote code execution without authentication.

What this means

What could happen

An attacker with network access to an affected PLCnext controller could run arbitrary code with full device privileges, allowing them to alter process logic, modify setpoints, or halt production on connected machinery.

Who's at risk

Manufacturing facilities using Phoenix Contact PLCnext controllers (AXC F series, RFC 4072S, BPC 9102S) for industrial automation and process control. This includes factories managing production lines, packaging systems, and other continuous process equipment where remote code execution would directly impact operational safety and uptime.

How it could be exploited

An attacker on the network sends a malicious request to the PLCnext controller's network interface. The firmware processes the request without proper validation or privilege checks, allowing code execution. Once running on the controller, the attacker has full control over the industrial process.

Prerequisites

Network access to the PLCnext controller
No authentication required

remotely exploitableno authentication requiredlow complexityhigh EPSS score (72.4%)affects industrial control systemscan alter process setpoints and halt operations

Exploitability

Likely to be exploited — EPSS score 73.6%

Public Proof-of-Concept (PoC) on GitHub (10 repositories)

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

AXC F 1152<2025.0.22025.0.2

AXC F 2152<2025.0.22025.0.2

AXC F 3152<2025.0.22025.0.2

RFC 4072S<2025.0.22025.0.2

BPC 9102S<2025.0.22025.0.2

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to PLCnext controllers to only trusted engineering workstations and remote access gateways using firewall rules

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

AXC F 1152

HOTFIXUpdate all affected PLCnext controllers (AXC F 1152, AXC F 2152, AXC F 3152, RFC 4072S, BPC 9102S) to firmware version 2025.0.2 or later

All products

HOTFIXUpdate PLCnext Engineer to the latest version

Long-term hardening

0/1

HARDENINGSegment PLCnext controllers onto a dedicated OT network isolated from general corporate IT networks

CVEs (54)

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/00cff1b0-0bc1-4bb9-8992-52301d62742e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.