Summary
This advisory addresses security issues in PLCnext firmware versions prior to 2026.0.3 that are related to APP handling and the processing of configuration files. The identified vulnerabilities affect APP installation authenticity as well as the handling of configuration data in writable directories. Successful exploitation may allow authenticated attackers with different privilege levels to compromise integrity, availability, and system security of affected PLCnext Control. Both issues are resolved starting with PLCnext firmware version 2026.0.3.
Impact
Depending on the vulnerability exploited, an attacker may be able to install manipulated APPs, influence the execution of privileged services through crafted configuration files, or execute unauthorized code with elevated permissions. This may lead to a compromise of integrity and availability of the PLCnext Control. Attack vectors include network-based access via the Web-based Management interface as well as local access by authenticated low-privileged users.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| 1151412 | AXC F 1152 | <2026.0.3 |
| 1646469 | AXC F 1252 | <2026.0.3 |
| 1551772 | AXC F 2000 EA | <2026.0.3 |
| 2404267 | AXC F 2152 | <2026.0.3 |
| 1069208 | AXC F 3152 | <2026.0.3 |
| 1246285 | BPC 9102S | <2026.0.3 |
| 1185423 | EPC 1522 | <2026.0.3 |
| 1136419 | RFC 4072R | <2026.0.3 |
| 1051328 | RFC 4072S | <2026.0.3 |
| 1760157 | VL3 UPC 2440 EDGE | <2026.0.3 |
| 1737875 | VPLCNEXT CONTROL 1000 | <2026.0.3 |
| 1738453 | VPLCNEXT CONTROL 2000 | <2026.0.3 |
| 1738454 | VPLCNEXT CONTROL 3000 | <2026.0.3 |
| 1751491 | VPLCNEXT CONTROL 500 | <2026.0.3 |
Vulnerabilities
Expand / Collapse allThe Web-based Management allows a remote low privileged Engineer user to install additional APPs on the device downloaded from the PLCnext Store without implementing any data verification mechanism, leading to the capability for an Engineer user to reach arbitrary code execution with root privileges on the PLC device. A successful exploitation may allow to install a manipulated APP package, potentially impacting integrity and availability of the PLCnext Control.
A local user with low privileges may be able to influence the behavior of a privileged system service by manipulating configuration or application-related files located in user-writable areas of the filesystem. The affected service processes data from locations that are not sufficiently protected against modification by low-privileged users. As the service runs with elevated privileges, successful exploitation may result in a local privilege escalation.
Mitigation
The following mitigation measures are recommended. Depending on the operational environment, one or more of these measures may be applied to reduce risk:
- Install APPs only from trusted sources and manually verify the SHA-256 checksum of the downloaded APP file before installation.
- Restrict access to the Web-based Management interface to authorized users only.
- Use firewall configuration to limit access to management interfaces and required services. Firewall configuration should be used to limit network communication to required services and to supervise execution behavior.
- Protect Engineer credentials and apply strong authentication practices.
- If APP functionality is not required for operation, consider disabling the APP Manager to reduce the attack surface.
- Exploitation of CVE-2025-41670 requires local access to the device; therefore, local access should be restricted to authorized and trusted users only. The device should be operated in a secured and controlled environment to prevent unauthorized local access.
- Enable system wide Syslog Server and check local security notifications to detect unexpected APP installation, execution behavior or abnormal system activity.
- Apply the latest firmware and security updates provided by the vendor
Remediation
Phoenix Contact recommends updating affected devices to PLCnext firmware version 2026.0.3 or later, which addresses all vulnerabilities described in this advisory. If immediate updates are not possible, refer to the CVE-specific mitigation measures described below.
Acknowledgments
Phoenix Contact GmbH & Co. KG thanks the following parties for their efforts:
- CERT@VDE for coordination. (see https://certvde.com )
- Diego Giubertoni from Nozomi for Reporting
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 27.05.2026 12:00 | Initial |