Phoenix Contact: Multiple Vulnerabilities in PLCnext Firmware

Plan PatchCVSS 8.8VDE-2025-054Jul 8, 2025

Phoenix ContactManufacturing

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in PLCnext firmware allow low-privileged remote attackers to escalate privileges, trigger system reboots, or expose critical system files by exploiting improper handling of symbolic links and configuration files in the watchdog, arp-preinit, and security-profile services. The vulnerabilities stem from insufficient permission checks (CWE-276) and improper restriction of rendered UI layers by pathname (CWE-59). Affected devices include AXC F 1152, AXC F 2152, AXC F 3152, RFC 4072S, and BPC 9102S running firmware below version 2025.0.2.

What this means

What could happen

A low-privileged user (operator or technician) on the device could manipulate configuration files or symbolic links to gain higher system privileges, trigger unintended reboots, or expose system files. This could allow an attacker to alter control logic, disable safety functions, or disrupt plant operations.

Who's at risk

Manufacturing facilities using Phoenix Contact PLCnext controllers (AXC F series, RFC 4072S, BPC 9102S) for process automation, machine control, or safety-related systems. The vulnerability affects operators and technicians with user-level access to the device management interface or local shell access.

How it could be exploited

An attacker with user-level access to the PLCnext controller (e.g., remote access via management interface or local access as a technician) can exploit symbolic link or configuration file handling in the watchdog, arp-preinit, or security-profile services. By writing malicious symbolic links or modifying protected configuration files, the attacker can escalate privileges, reboot the controller, or read sensitive system files.

Prerequisites

User-level or operator access to the PLCnext device (remote or local)
Direct access to configuration directories or services that handle symbolic links
PLCnext firmware version below 2025.0.2

remotely exploitablelow complexityaffects industrial controllerscan cause system reboot and operational disruptionprivilege escalation potential

Exploitability

Some exploitation risk — EPSS score 1.2%

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

AXC F 1152<2025.0.22025.0.2

AXC F 2152<2025.0.22025.0.2

AXC F 3152<2025.0.22025.0.2

RFC 4072S<2025.0.22025.0.2

BPC 9102S<2025.0.22025.0.2

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict network access to the PLCnext management interface to engineering workstations and authorized IP addresses only via firewall rules

HARDENINGReview and enforce access control policies to limit user-level accounts with shell or configuration access to authorized personnel only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

AXC F 1152

HOTFIXUpdate all affected PLCnext controllers (AXC F 1152, AXC F 2152, AXC F 3152, RFC 4072S, BPC 9102S) to firmware version 2025.0.2 or later

All products

HARDENINGMonitor affected devices for unexpected reboots or configuration file changes after patching

CVEs (4)

CVE-2025-41665 CVE-2025-41667 CVE-2025-41668 CVE-2025-41666

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6c354d20-4b32-456c-b5eb-2f166db6680f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.