Phoenix Contact: Security Advisory for TC ROUTER and CLOUD CLIENT Industrial mobile network routers

Plan Patch8.8VDE-2025-073Jan 13, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

A code injection vulnerability exists in the upload-config endpoint of TC ROUTER and CLOUD CLIENT Industrial Mobile network routers. The vulnerability allows an authenticated high-privileged attacker to inject code through configuration file upload, potentially leading to unauthorized control of the device. Affected products include TC ROUTER models 2002T-3G, 3002T-3G, 3002T-4G (GL, VZW, ATT variants), 5004T-5G EU, 2002T-4G, and CLOUD CLIENT models 1101T-TX/TX, 1002-4G ATT, and 1002-TX/TX.

What this means

What could happen

An authenticated administrator with compromised credentials or malicious intent could upload a specially crafted configuration file to inject code into the router, potentially gaining full control of the device and disrupting connectivity to remote facilities, sensors, or cloud management systems. This could prevent monitoring and control of distributed industrial processes.

Who's at risk

Manufacturing facilities and utilities using Phoenix Contact TC ROUTER and CLOUD CLIENT industrial mobile network routers for remote site connectivity, SCADA communications, and cloud-based monitoring. Organizations managing distributed process control systems, remote sensors, and centralized supervision systems dependent on these routers for connectivity are particularly at risk.

How it could be exploited

An attacker with valid administrative credentials accesses the web interface of the TC ROUTER or CLOUD CLIENT device and navigates to the configuration upload endpoint. The attacker uploads a malicious configuration file containing injected code. The device processes the file without proper validation, executing the embedded code with the privileges of the administrative user.

Prerequisites

Valid administrative credentials for the device
Network access to the device's web interface (port 80 or 443)
Ability to craft and upload a malicious configuration file

Requires valid administrative credentials (reduces risk)Affects industrial connectivity and remote managementCode injection can lead to full device compromise

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (11)

11 with fix

ProductAffected VersionsFix Status

TC ROUTER 3002T-3G< 3.08.83.08.8

TC ROUTER 2002T-3G< 3.08.83.08.8

TC ROUTER 3002T-4G< 3.08.83.08.8

TC ROUTER 3002T-4G GL< 3.08.83.08.8

TC ROUTER 5004T-5G EU< 1.06.231.06.23

TC ROUTER 3002T-4G VZW< 3.08.83.08.8

TC ROUTER 3002T-4G ATT< 3.08.83.08.8

TC ROUTER 2002T-4G< 3.08.83.08.8

Remediation & Mitigation

0/7

Do now

0/3

HARDENINGRestrict administrative access to the device to a minimal set of authorized personnel and disable remote administrative access if not required

HARDENINGImplement a policy requiring all configuration files to be imported only from trusted, verified sources

HARDENINGRestrict network access to the device's web interface using firewall rules, allowing only from trusted management networks

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

TC ROUTER 3002T-3G

HOTFIXUpdate TC ROUTER 3002T-3G, 2002T-3G, 3002T-4G (all variants), and 2002T-4G to firmware version 3.08.8 or later

TC ROUTER 5004T-5G EU

HOTFIXUpdate TC ROUTER 5004T-5G EU to firmware version 1.06.23 or later

CLOUD CLIENT 1101T-TX/TX

HOTFIXUpdate CLOUD CLIENT 1101T-TX/TX and 1002-TX/TX to firmware version 3.07.7 or later

TC CLOUD CLIENT 1002-4G ATT

HOTFIXUpdate TC CLOUD CLIENT 1002-4G ATT to firmware version 3.08.8 or later

CVEs (1)

CVE-2025-41717

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/afd2bc87-af8e-450b-ac2b-b32ee4e333d6