Phoenix Contact: Products utilizing WIBU-SYSTEMS CodeMeter Runtime Windows Installer have a privilege escalation

Plan Patch8.2VDE-2025-064Sep 9, 2025

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

A local privilege escalation vulnerability exists in Phoenix Contact products that use WIBU-SYSTEMS CodeMeter Runtime. The CodeMeter Control Center starts with elevated privileges and retains them until restarted or the user logs out. An attacker with a local user account can exploit this window to run administrative commands and access restricted tools like cmd.exe with admin rights on freshly installed systems.

What this means

What could happen

A local attacker with a user account can escalate to administrator privileges on freshly installed systems, allowing them to run arbitrary commands and access sensitive tools like the command prompt with elevated permissions.

Who's at risk

Manufacturing organizations using Phoenix Contact engineering and industrial software—including PLCnext Engineer, FL Network Manager, EV Charging Suite, MLnext tools, and CLIPX ENGINEER—are affected. The vulnerability impacts workstations where these tools are installed, particularly freshly provisioned systems.

How it could be exploited

An attacker with a local user account logs into a freshly installed system running one of the affected Phoenix Contact products. The CodeMeter Control Center starts automatically with elevated privileges. The attacker uses this window before restart to run commands like cmd.exe with admin rights, gaining full system control.

Prerequisites

Local user account on the system
System with freshly installed or recently updated affected Phoenix Contact product
CodeMeter Control Center running with elevated privileges

Local access required to exploitAffects freshly installed systemsMultiple Phoenix Contact products affectedNo patch yet available from Phoenix ContactPrivilege escalation to admin level

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (10)

9 with fix1 pending

ProductAffected VersionsFix Status

MORYX-Software PlatformActivation Wizard<1.8No fix yet

PLCnext Engineer <2025.0.3PLCnext Engineer<2025.0.32025.0.3

FL Network Manager <=8.0FL Network Manager≤ 8.08.0

EV Charging Suite (all versions) <=1.7.0EV Charging Suite (all versions)≤ 1.7.01.7.0

CLIPX ENGINEER ASSEMBLE <=1.0.0CLIPX ENGINEER ASSEMBLE≤ 1.0.01.0.0

MLnext Execution <=1.1.3MLnext Execution≤ 1.1.31.1.3

MLnext Creation <=24.10.0MLnext Creation≤ 24.10.024.10.0

Activation Wizard <1.8Activation Wizard<1.81.8

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDAfter installing CodeMeter Runtime or any affected Phoenix Contact product, immediately restart your system, log out and back in, or manually restart the CodeMeter Control Center via the system tray icon

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXDownload and install CodeMeter Runtime version 8.30a or later from the WIBU-SYSTEMS homepage

HOTFIXCheck the official Phoenix Contact product webpage regularly for updates that incorporate CodeMeter V8.30a or later, and apply them when available

Long-term hardening

0/1

HARDENINGRestrict local login to engineering and administrative personnel only; avoid shared user accounts on workstations running these products

CVEs (1)

CVE-2025-47809

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3eeb3670-db0e-4a20-ae72-a900f830d42a