Phoenix Contact: Security Advisory for QUINT4-UPS EIP

Monitor7.5VDE-2025-072Oct 14, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in QUINT4-UPS EIP firmware allow unauthenticated remote attackers to perform denial of service attacks and extract login credentials for the device's web interface. The vulnerabilities are in the handling of Modbus/TCP commands and HTTP requests. CWEs include improper authentication (CWE-306), resource exhaustion (CWE-770), credential exposure (CWE-523), and buffer overflow (CWE-120). Affected firmware versions are VC:00 through VC:07. Phoenix Contact states the product was designed for closed industrial networks and recommends firewall protection; however, new units will ship with VC:07 firmware.

What this means

What could happen

An attacker on your network can crash the QUINT4-UPS power supply or extract login credentials for its web interface without authentication, potentially disrupting your ability to manage uninterruptible power supply units that protect critical control systems.

Who's at risk

Water utilities and municipal electric utilities using QUINT4-UPS EIP uninterruptible power supplies to protect programmable logic controllers (PLCs), remote terminal units (RTUs), and other critical process control equipment. Any facility relying on these power supplies for operational continuity should assess their exposure.

How it could be exploited

An attacker sends unauthenticated Modbus/TCP commands over the network to the device on port 502 to trigger a denial of service condition, or sends HTTP requests to extract credentials from the web interface. No valid credentials or special configuration are required.

Prerequisites

Network access to the QUINT4-UPS on port 502 (Modbus/TCP) or port 80/443 (HTTP)
Device must be reachable from the attacker's network segment

remotely exploitableno authentication requiredlow complexityno patch availableaffects critical infrastructure components

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (8)

8 EOL

ProductAffected VersionsFix Status

QUINT4-UPS/24DC/24DC/5/EIP VC:00<VC:07VC:00<VC:07No fix (EOL)

QUINT4-UPS/24DC/24DC/10/EIP VC:00<VC:07VC:00<VC:07No fix (EOL)

QUINT4-UPS/24DC/24DC/20/EIP VC:00<VC:07VC:00<VC:07No fix (EOL)

QUINT4-UPS/24DC/24DC/40/EIP VC:00<VC:07VC:00<VC:07No fix (EOL)

QUINT4-UPS/24DC/24DC/5/EIP VC:07VC:07No fix (EOL)

QUINT4-UPS/24DC/24DC/10/EIP VC:07VC:07No fix (EOL)

QUINT4-UPS/24DC/24DC/20/EIP VC:07VC:07No fix (EOL)

QUINT4-UPS/24DC/24DC/40/EIP VC:07VC:07No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict network access to QUINT4-UPS devices using firewall rules—block Modbus/TCP (port 502) and HTTP/HTTPS traffic from untrusted network segments and the Internet

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGConfigure Modbus/TCP access controls at the application level to restrict which control systems can send commands to the device

HOTFIXIf new QUINT4-UPS devices are purchased, verify they ship with firmware VC:07 or later, which includes fixes for these vulnerabilities

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: QUINT4-UPS/24DC/24DC/5/EIP VC:00<VC:07, QUINT4-UPS/24DC/24DC/10/EIP VC:00<VC:07, QUINT4-UPS/24DC/24DC/20/EIP VC:00<VC:07, QUINT4-UPS/24DC/24DC/40/EIP VC:00<VC:07, QUINT4-UPS/24DC/24DC/5/EIP VC:07, QUINT4-UPS/24DC/24DC/10/EIP VC:07, QUINT4-UPS/24DC/24DC/20/EIP VC:07, QUINT4-UPS/24DC/24DC/40/EIP VC:07. Apply the following compensating controls:

HARDENINGIsolate QUINT4-UPS devices on a dedicated, closed industrial network segment with no Internet access or cross-network routing to corporate IT systems

CVEs (5)

CVE-2025-41703 CVE-2025-41704 CVE-2025-41705 CVE-2025-41706 CVE-2025-41707

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c66b911c-2e3e-4ffc-8b9f-2610e537b92f