Skip to main content

PLCnext Control EUVDEUVD-2025-209952

| CVE-2025-41669 HIGH
Improper Verification of Cryptographic Signature (CWE-347)
2026-05-27 info@cert.vde.com GHSA-m3wg-2ch3-59m2
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 19:58 vuln.today
Patch available
May 27, 2026 - 19:46 EUVD

DescriptionCVE.org

The Web-based Management allows a remote low privileged Engineer user to install additional APPs on the device downloaded from the PLCnext Store without implementing any data verification mechanism, leading to the capability for an Engineer user to reach arbitrary code execution with root privileges on the PLC device. A successful exploitation may allow to install a manipulated APP package, potentially impacting integrity and availability of the PLCnext Control.

AnalysisAI

Arbitrary root code execution in Phoenix Contact PLCnext Control devices (all firmware before 2026.0.3) is reachable by an authenticated low-privileged Engineer user who installs APP packages from the PLCnext Store through the Web-based Management (WBM) interface. Because the device never verifies the integrity or signature of the downloaded app (CWE-347, tagged JWT Attack), a tampered package runs as root and can compromise the integrity and availability of the controller. No public exploit is identified at time of analysis and EPSS is low (0.06%, 18th percentile), but the flaw is network-reachable with low attack complexity and a vendor patch (2026.0.3) is available.

Technical ContextAI

Phoenix Contact PLCnext Control is an industrial/OT platform (PLCs, edge controllers and virtual PLCnext instances) administered through a browser-based Web-based Management console. The console can fetch and install add-on applications (APPs) from the PLCnext Store. The root cause is CWE-347, Improper Verification of Cryptographic Signature: the install workflow accepts and deploys app packages without enforcing a valid integrity/signature check, so an attacker-controlled or modified package is treated as trusted. Apps run with root privileges on the controller, so a forged package becomes full code execution. The 'JWT Attack' tag suggests the trust/authorization decision around package handling relies on token-based validation that can be bypassed or forged, consistent with the missing-verification root cause.

RemediationAI

Vendor-released patch: 2026.0.3 - upgrade all affected PLCnext Control devices to firmware 2026.0.3 or later, which is the fixed-version boundary across every model in EUVD-2025-209952; follow the official advisory at https://www.certvde.com/en/advisories/VDE-2026-050/ for model-specific update guidance. Where immediate patching is not possible, reduce exposure with concrete compensating controls: restrict and audit Engineer-level accounts on the Web-based Management interface and remove unnecessary low-privileged users (trade-off: may slow legitimate engineering workflows); place the controllers behind network segmentation/firewalls so the WBM interface is reachable only from a trusted engineering workstation or jump host and never from IT or the internet (trade-off: requires firewall/VLAN changes and may break remote maintenance); and disable or block use of the PLCnext Store app-install function where it is not operationally required (trade-off: prevents installing legitimate apps until patched). Verify each app package source out-of-band until the verification fix is in place.

CVE-2013-3900 MEDIUM
5.5 Dec 11

Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update

CVE-2026-48558 CRITICAL POC
9.5 Jun 12

Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke

CVE-2025-59718 CRITICAL
9.8 Dec 09

Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to

CVE-2025-25291 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2025-25292 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2022-25898 CRITICAL POC
9.8 Jul 01

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT

CVE-2024-42004 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti

CVE-2024-41145 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27

CVE-2024-41138 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-35929 CRITICAL POC
9.8 Aug 04

cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote

CVE-2022-31053 CRITICAL POC
9.8 Jun 13

Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)

Share

EUVD-2025-209952 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy