Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

Plan Patch8.8VDE-2025-054Jul 8, 2025

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in PLCnext firmware allow low-privileged remote attackers to gain unauthorized system access or trigger controller reboots through manipulation of configuration files and symbolic links. Affected services include watchdog, arp-preinit, and security-profile, potentially exposing critical system files and enabling privilege escalation. Firmware version 2025.0.2 resolves these issues.

What this means

What could happen

An attacker with low-level credentials on a PLCnext controller could manipulate configuration files and create symbolic link exploits to gain full system access or remotely force the PLC to reboot, disrupting manufacturing processes and equipment control.

Who's at risk

Manufacturing facilities using Phoenix Contact PLCnext controllers (AXC F series and RFC/BPC models) are affected. Any site running these as primary logic controllers for process automation, motor control, or safety-critical functions should prioritize assessment and patching.

How it could be exploited

An attacker with low-privilege user credentials (or obtained through weak password/social engineering) logs into the PLCnext web interface or SSH service. The attacker creates malicious symbolic links or modifies configuration files accessed by system services like the watchdog, arp-preinit, or security-profile. These services run with elevated privileges and execute the attacker's modified configuration, allowing code execution or denial of service.

Prerequisites

Valid low-privilege user credentials for PLCnext web interface or SSH
Network access to HTTP/HTTPS and/or SSH ports on the affected PLC

remotely exploitablelow complexityno authentication required for some exploitation pathsaffects safety-critical control systems

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

AXC F 1152<2025.0.22025.0.2

AXC F 2152<2025.0.22025.0.2

AXC F 3152<2025.0.22025.0.2

RFC 4072S<2025.0.22025.0.2

BPC 9102S<2025.0.22025.0.2

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGRestrict remote access to PLCnext web interface and SSH services to authorized engineering workstations only using firewall rules

HARDENINGEnforce strong password policies for all local user accounts on PLCnext devices

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

AXC F 1152

HOTFIXUpdate all affected AXC F 1152, AXC F 2152, AXC F 3152, RFC 4072S, and BPC 9102S controllers to firmware version 2025.0.2 or later

CVEs (4)

CVE-2025-41665 CVE-2025-41666 CVE-2025-41667 CVE-2025-41668

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6c354d20-4b32-456c-b5eb-2f166db6680f