Phoenix Contact: Security Advisory for TC ROUTER and CLOUD CLIENT Industrial mobile network routers
Plan PatchCVSS 8.8VDE-2025-073Jan 13, 2026
Phoenix ContactManufacturing
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
A code injection vulnerability exists in the upload-config endpoint of Phoenix Contact TC ROUTER and CLOUD CLIENT industrial mobile network routers. An authenticated high-privileged user can upload a malicious configuration file containing code that is executed by the device. The vulnerability affects multiple router models (3002T-3G, 2002T-3G, 3002T-4G variants, 5004T-5G EU) and CLOUD CLIENT models (1101T-TX/TX, 1002-4G ATT, 1002-TX/TX).
What this means
What could happen
An authenticated high-privileged user could upload a malicious configuration file to a TC ROUTER or CLOUD CLIENT device, injecting code that executes with the device's privileges. This could allow the attacker to take full control of the router, intercept communications, redirect traffic, or disrupt the mobile network connectivity that the device provides to your facility.
Who's at risk
Manufacturing facilities and utilities using Phoenix Contact TC ROUTER or CLOUD CLIENT industrial mobile network routers for site-to-site connectivity, remote access, or cellular failover. This includes facilities relying on these devices for continuous communication with PLCs, HMIs, or remote monitoring systems.
How it could be exploited
An attacker with administrative credentials to the device accesses the web interface or management API and uploads a crafted configuration file to the upload-config endpoint. The unsanitized input is processed as code, allowing the attacker to execute arbitrary commands on the router.
Prerequisites
- Valid administrative credentials for the TC ROUTER or CLOUD CLIENT device
- Network access to the device's management interface or upload-config endpoint
- Ability to upload or substitute a configuration file
Requires valid administrative credentials (reduces exposure)Code injection via unsanitized config uploadCould allow full device compromise and lateral movement into operational network
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (11)
11 with fix
ProductAffected VersionsFix Status
TC ROUTER 3002T-3G< 3.08.83.08.8
TC ROUTER 2002T-3G< 3.08.83.08.8
TC ROUTER 3002T-4G< 3.08.83.08.8
TC ROUTER 3002T-4G GL< 3.08.83.08.8
TC ROUTER 5004T-5G EU< 1.06.231.06.23
TC ROUTER 3002T-4G VZW< 3.08.83.08.8
TC ROUTER 3002T-4G ATT< 3.08.83.08.8
TC ROUTER 2002T-4G< 3.08.83.08.8
Remediation & Mitigation
0/10
Do now
0/2HARDENINGRestrict administrative access to these devices to named personnel only and disable or remove unused administrative accounts
WORKAROUNDRequire that configuration file uploads come only from verified, trusted sources and implement file integrity checks before deployment
Schedule — requires maintenance window
0/8Patching may require device reboot — plan for process interruption
TC ROUTER 3002T-3G
HOTFIXUpdate all TC ROUTER 3002T-3G devices to firmware version 3.08.8 or later
TC ROUTER 2002T-3G
HOTFIXUpdate all TC ROUTER 2002T-3G devices to firmware version 3.08.8 or later
TC ROUTER 3002T-4G
HOTFIXUpdate all TC ROUTER 3002T-4G, 3002T-4G GL, 3002T-4G VZW, and 3002T-4G ATT devices to firmware version 3.08.8 or later
TC ROUTER 2002T-4G
HOTFIXUpdate all TC ROUTER 2002T-4G devices to firmware version 3.08.8 or later
TC ROUTER 5004T-5G EU
HOTFIXUpdate all TC ROUTER 5004T-5G EU devices to firmware version 1.06.23 or later
CLOUD CLIENT 1101T-TX/TX
HOTFIXUpdate all CLOUD CLIENT 1101T-TX/TX devices to firmware version 3.07.7 or later
TC CLOUD CLIENT 1002-4G ATT
HOTFIXUpdate all TC CLOUD CLIENT 1002-4G ATT devices to firmware version 3.08.8 or later
TC CLOUD CLIENT 1002-TX/TX
HOTFIXUpdate all TC CLOUD CLIENT 1002-TX/TX devices to firmware version 3.07.7 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/afd2bc87-af8e-450b-ac2b-b32ee4e333d6Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.