Phoenix Contact: Products utilizing WIBU-SYSTEMS CodeMeter Runtime Windows Installer have a privilege escalation

Plan PatchCVSS 8.2VDE-2025-064Sep 9, 2025

Phoenix ContactManufacturing

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

A local privilege escalation vulnerability exists in Phoenix Contact products that use WIBU-SYSTEMS CodeMeter Runtime. The CodeMeter Control Center starts with elevated (administrator) privileges and retains them until restarted, allowing users to gain admin rights on freshly installed systems and access admin-level tools. Affected products include PLCnext Engineer, FL Network Manager, EV Charging Suite, MLnext Execution, MLnext Creation, Activation Wizard, and CLIPX ENGINEER ASSEMBLE. Most products can be fixed by updating CodeMeter Runtime to version 8.30a and installing product-specific patches; however, MORYX-Software Platform (Activation Wizard <1.8) has no fix available.

What this means

What could happen

An attacker with local access to a Windows machine running Phoenix Contact software could escalate privileges to administrator, allowing unauthorized access to sensitive engineering tools and process control functions on freshly installed systems.

Who's at risk

Phoenix Contact engineering and platform software users, particularly those deploying PLCnext Engineer, FL Network Manager, EV Charging Suite, and MLnext products for industrial automation and control. Affects manufacturers using these tools on Windows workstations for PLC programming, network configuration, and machine learning model deployment.

How it could be exploited

An attacker with a standard user account on a machine with a vulnerable Phoenix Contact product can trigger the CodeMeter Control Center (which launches with elevated privileges) to run arbitrary commands as administrator, such as opening cmd.exe with admin rights. This is possible only on freshly installed systems until the CodeMeter service is restarted.

Prerequisites

Local user account on Windows system running affected Phoenix Contact software
System has been freshly installed with vulnerable CodeMeter Runtime
CodeMeter Control Center has not been restarted since installation
User interaction required to trigger execution of admin-level commands

Requires local access to Windows systemNo authentication required beyond local user accountLow exploitation complexityAffects engineering workstations that may control or configure production equipmentPrivilege escalation to administrator levelMORYX-Software Platform has no fix planned

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (10)

9 with fix1 pending

ProductAffected VersionsFix Status

MORYX-Software PlatformActivation Wizard<1.8No fix yet

PLCnext Engineer <2025.0.3PLCnext Engineer<2025.0.32025.0.3

FL Network Manager <=8.0FL Network Manager≤ 8.08.0

EV Charging Suite (all versions) <=1.7.0EV Charging Suite (all versions)≤ 1.7.01.7.0

CLIPX ENGINEER ASSEMBLE <=1.0.0CLIPX ENGINEER ASSEMBLE≤ 1.0.01.0.0

MLnext Execution <=1.1.3MLnext Execution≤ 1.1.31.1.3

MLnext Creation <=24.10.0MLnext Creation≤ 24.10.024.10.0

Activation Wizard <1.8Activation Wizard<1.81.8

Remediation & Mitigation

0/9

Do now

0/1

WORKAROUNDAfter installing CodeMeter or any affected Phoenix Contact product, immediately restart the system, log out and back in, or manually restart the CodeMeter Control Center via the system tray

Schedule — requires maintenance window

0/7

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CodeMeter Runtime to version 8.30a directly from WIBU-SYSTEMS homepage

HOTFIXUpdate PLCnext Engineer to version 2025.0.3 or later

HOTFIXUpdate Activation Wizard to version 1.8 when available

HOTFIXUpdate FL Network Manager to version 8.0 or later

HOTFIXUpdate EV Charging Suite to version 1.7.0 or later

HOTFIXUpdate MLnext Execution to version 1.1.3 or later

HOTFIXUpdate MLnext Creation to version 24.10.0 or later

Long-term hardening

0/1

HARDENINGRestrict local console access to engineering workstations to trusted personnel only

CVEs (1)

CVE-2025-47809

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3eeb3670-db0e-4a20-ae72-a900f830d42a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.