Phoenix Contact: PLCnext Firmware Security Issues Related to APPs and Configuration Files

Plan PatchCVSS 8.8VDE-2026-050May 27, 2026

Phoenix ContactManufacturing

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

PLCnext firmware versions before 2026.0.3 do not enforce signature verification on installed applications, and do not securely handle configuration files stored in writable directories. This allows authenticated attackers to install unsigned or malicious apps and modify system configurations. The vulnerabilities affect APP authenticity (CWE-347) and APP integrity (CWE-427). Firmware version 2026.0.3 and later enable APP signature verification by default, allowing only signed applications to be installed.

What this means

What could happen

An authenticated attacker with access to the PLCnext web interface could install malicious applications or modify configuration files to execute arbitrary commands on the controller, potentially disrupting production processes or altering machine behavior.

Who's at risk

Manufacturing facilities using Phoenix Contact PLCnext controllers (AXC F series, BPC 9102S, EPC 1522, RFC 40xx, VL3 UPC 2440 EDGE, VPLCNEXT CONTROL series) for process automation, machine control, or critical operations. Any facility where unauthorized APP installation or configuration tampering could cause unplanned downtime or safety issues.

How it could be exploited

An attacker with network access to the web-based management (WBM) interface and valid engineering credentials could bypass APP signature verification to install unsigned applications, or modify configuration files stored in writable directories. This allows code execution with controller privileges.

Prerequisites

Network access to the PLCnext controller's web management interface (typically port 80/443)
Valid engineering workstation credentials
Firmware version prior to 2026.0.3

remotely exploitablerequires engineering credentialsaffects multiple industrial controller modelsno authentication required for APP installation (pre-2026.0.3)unsigned apps can be installed

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (14)

14 with fix

ProductAffected VersionsFix Status

AXC F 1152< 2026.0.32026.0.3

AXC F 1252< 2026.0.32026.0.3

AXC F 2000 EA< 2026.0.32026.0.3

AXC F 2152< 2026.0.32026.0.3

AXC F 3152< 2026.0.32026.0.3

BPC 9102S< 2026.0.32026.0.3

EPC 1522< 2026.0.32026.0.3

RFC 4072R< 2026.0.32026.0.3

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDRestrict web management interface (WBM) access to trusted engineering workstations and networks using firewall rules

HARDENINGProtect and limit distribution of engineering credentials; use strong passwords and consider account restrictions

WORKAROUNDDisable the APP Manager service via WBM System Services if application installation is not required for your process

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all affected PLCnext controllers to firmware version 2026.0.3 or later

WORKAROUNDIf APPs must be used prior to updating firmware, manually verify APP SHA-256 checksums from the official PLCnext Store before installation

HARDENINGEnable Syslog monitoring for APP lifecycle and security events; review logs regularly for unauthorized installation attempts

CVEs (2)

CVE-2025-41669 CVE-2025-41670

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0bdeca46-a2ec-456f-b33d-30300185d96d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.