Skip to main content

Phoenix Contact PLCnext CVE-2025-41670

| EUVD-2025-209951 HIGH
Uncontrolled Search Path Element (CWE-427)
2026-05-27 info@cert.vde.com GHSA-7grg-5m65-97hj
Privilege Escalation
8.7
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 19:58 vuln.today
Patch available
May 27, 2026 - 19:46 EUVD

DescriptionNVD

A local user with low privileges may be able to influence the behavior of a privileged system service by manipulating configuration or application-related files located in user-writable areas of the filesystem. The affected service processes data from locations that are not sufficiently protected against modification by low-privileged users. As the service runs with elevated privileges, successful exploitation may result in a local privilege escalation.

AnalysisAI

Local privilege escalation in Phoenix Contact PLCnext controllers (AXC F 1152/1252/2152/3152, AXC F 2000 EA, RFC 4072R/4072S, EPC 1522, BPC 9102S, VL3 UPC 2440 EDGE) and the virtual PLCnext Control 500/1000/2000/3000 product lines before firmware 2026.0.3 allows a low-privileged local user to plant or modify configuration and application files in user-writable filesystem locations that a privileged service later consumes, gaining elevated privileges. The flaw (CWE-427) is rated CVSS 4.0 8.7 (High) but carries a very low EPSS of 0.03% (9th percentile). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Technical ContextAI

PLCnext is Phoenix Contact's Linux-based industrial controller runtime used across its AXC F PLC family, RFC/EPC/BPC controllers, edge devices, and the software-only Virtual PLCnext Control variants. The root cause is classified as CWE-427 (Uncontrolled Search Path Element): a system service that runs with elevated privileges loads or processes configuration and application-related files from filesystem paths that are also writable by low-privileged users. Because the service does not adequately restrict or validate the provenance of those files, an attacker-controlled file in a shared/user-writable directory is trusted and acted upon by the privileged process, turning file write access into code/behavior execution at the service's privilege level.

RemediationAI

Vendor-released patch: 2026.0.3 - upgrade all affected PLCnext controllers and Virtual PLCnext Control instances to firmware/version 2026.0.3 or later, as indicated by the EUVD fixed-version boundary and the CERT@VDE advisory VDE-2026-050 (https://www.certvde.com/en/advisories/VDE-2026-050/); confirm the exact patched build against that advisory before deploying to production OT systems. Until patching is feasible, reduce who can reach the local attack surface: restrict and audit low-privileged local accounts on the controllers, since exploitation requires an authenticated low-privileged user, and tighten filesystem permissions on the user-writable directories that the privileged service reads from so they cannot be modified by non-administrative users (trade-off: overly aggressive permission changes can break legitimate application/config workflows and should be validated in a test cell first). Place these controllers on isolated/segmented OT networks with strict access control to limit who can obtain interactive local access in the first place. Treat these as compensating controls only - the firmware update is the actual fix.

Share

CVE-2025-41670 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy