VDE-2022-053
Vulnerability from csaf_phoenixcontactgmbhcokg - Published: 2023-03-07 07:00 - Updated: 2025-05-14 13:00Summary
PHOENIX CONTACT: Advisory for TC ROUTER and CLOUD CLIENT
Notes
Summary: Two Vulnerabilities have been discovered in TC ROUTER 4000 series and CLOUD CLIENT 2000 series up to firmware version 4.5.7x.107.
The web administration interface is vulnerable for authenticated admin users to path traversals, which could lead to arbitrary file uploads or deletion. Unvalidated user input also enables execution of OS commands.
Impact: The web interface is available only after authentication. An authorized admin user could use these vulnerabilities to execute arbitrary commands, upload arbitrary files or delete files from the device. This may lead to the device no longer functioning properly.
Mitigation: Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note: Measures to protect network-capable devices with Ethernet connection
Remediation: The vulnerability is fixed in firmware version 4.6.7x.101. We strongly recommend all affected users to upgrade to this or a later version.
NetModule NSRW web administration interface executes an OS command constructed with unsanitized user input. A successful exploit could allow an authenticated user to execute arbitrary commands with elevated privileges. This issue affects NSRW: from 4.3.0.0 before 4.3.0.119, from 4.4.0.0 before 4.4.0.118, from 4.6.0.0 before 4.6.0.105, from 4.7.0.0 before 4.7.0.103.
8.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note: Measures to protect network-capable devices with Ethernet connection
Vendor Fix
The vulnerability is fixed in firmware version 4.6.7x.101. We strongly recommend all affected users to upgrade to this or a later version.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
CLOUD CLIENT 2002T-4G EU 4.6.7x.101
Phoenix Contact / Software / CLOUD CLIENT 2002T-4G EU
|
1234355
|
4.6.7x.101 | |
|
CLOUD CLIENT 2002T-WLAN 4.6.7x.101
Phoenix Contact / Software / CLOUD CLIENT 2002T-WLAN
|
1234360
|
4.6.7x.101 | |
|
CLOUD CLIENT 2102T-4G EU WLAN 4.6.7x.101
Phoenix Contact / Software / CLOUD CLIENT 2102T-4G EU WLAN
|
1234357
|
4.6.7x.101 | |
|
TC ROUTER 4002T-4G EU 4.6.7x.101
Phoenix Contact / Software / TC ROUTER 4002T-4G EU
|
1234352
|
4.6.7x.101 | |
|
TC ROUTER 4102T-4G EU WLAN 4.6.7x.101
Phoenix Contact / Software / TC ROUTER 4102T-4G EU WLAN
|
1234353
|
4.6.7x.101 | |
|
TC ROUTER 4202T-4G EU WLAN 4.6.7x.101
Phoenix Contact / Software / TC ROUTER 4202T-4G EU WLAN
|
1234354
|
4.6.7x.101 |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
CLOUD CLIENT 2002T-4G EU <4.5.73.107
Phoenix Contact / Software / CLOUD CLIENT 2002T-4G EU
|
1234355
|
<4.5.73.107 | |
|
CLOUD CLIENT 2002T-WLAN <4.5.73.107
Phoenix Contact / Software / CLOUD CLIENT 2002T-WLAN
|
1234360
|
<4.5.73.107 | |
|
CLOUD CLIENT 2102T-4G EU WLAN <4.5.73.107
Phoenix Contact / Software / CLOUD CLIENT 2102T-4G EU WLAN
|
1234357
|
<4.5.73.107 | |
|
TC ROUTER 4002T-4G EU <4.5.72.107
Phoenix Contact / Software / TC ROUTER 4002T-4G EU
|
1234352
|
<4.5.72.107 | |
|
TC ROUTER 4102T-4G EU WLAN <4.5.72.107
Phoenix Contact / Software / TC ROUTER 4102T-4G EU WLAN
|
1234353
|
<4.5.72.107 | |
|
TC ROUTER 4202T-4G EU WLAN <4.5.72.107
Phoenix Contact / Software / TC ROUTER 4202T-4G EU WLAN
|
1234354
|
<4.5.72.107 |
The NetModule NSRW web administration interface is vulnerable to path traversals, which could lead to arbitrary file uploads and deletion. By uploading malicious files to the web root directory, authenticated users could gain remote command execution with elevated privileges. This issue affects NSRW: from 4.3.0.0 before 4.3.0.119, from 4.4.0.0 before 4.4.0.118, from 4.6.0.0 before 4.6.0.105, from 4.7.0.0 before 4.7.0.103.
8.8 (High)
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note: Measures to protect network-capable devices with Ethernet connection
Vendor Fix
The vulnerability is fixed in firmware version 4.6.7x.101. We strongly recommend all affected users to upgrade to this or a later version.
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
CLOUD CLIENT 2002T-4G EU 4.6.7x.101
Phoenix Contact / Software / CLOUD CLIENT 2002T-4G EU
|
1234355
|
4.6.7x.101 | |
|
CLOUD CLIENT 2002T-WLAN 4.6.7x.101
Phoenix Contact / Software / CLOUD CLIENT 2002T-WLAN
|
1234360
|
4.6.7x.101 | |
|
CLOUD CLIENT 2102T-4G EU WLAN 4.6.7x.101
Phoenix Contact / Software / CLOUD CLIENT 2102T-4G EU WLAN
|
1234357
|
4.6.7x.101 | |
|
TC ROUTER 4002T-4G EU 4.6.7x.101
Phoenix Contact / Software / TC ROUTER 4002T-4G EU
|
1234352
|
4.6.7x.101 | |
|
TC ROUTER 4102T-4G EU WLAN 4.6.7x.101
Phoenix Contact / Software / TC ROUTER 4102T-4G EU WLAN
|
1234353
|
4.6.7x.101 | |
|
TC ROUTER 4202T-4G EU WLAN 4.6.7x.101
Phoenix Contact / Software / TC ROUTER 4202T-4G EU WLAN
|
1234354
|
4.6.7x.101 |
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
CLOUD CLIENT 2002T-4G EU <4.5.73.107
Phoenix Contact / Software / CLOUD CLIENT 2002T-4G EU
|
1234355
|
<4.5.73.107 | |
|
CLOUD CLIENT 2002T-WLAN <4.5.73.107
Phoenix Contact / Software / CLOUD CLIENT 2002T-WLAN
|
1234360
|
<4.5.73.107 | |
|
CLOUD CLIENT 2102T-4G EU WLAN <4.5.73.107
Phoenix Contact / Software / CLOUD CLIENT 2102T-4G EU WLAN
|
1234357
|
<4.5.73.107 | |
|
TC ROUTER 4002T-4G EU <4.5.72.107
Phoenix Contact / Software / TC ROUTER 4002T-4G EU
|
1234352
|
<4.5.72.107 | |
|
TC ROUTER 4102T-4G EU WLAN <4.5.72.107
Phoenix Contact / Software / TC ROUTER 4102T-4G EU WLAN
|
1234353
|
<4.5.72.107 | |
|
TC ROUTER 4202T-4G EU WLAN <4.5.72.107
Phoenix Contact / Software / TC ROUTER 4202T-4G EU WLAN
|
1234354
|
<4.5.72.107 |
References
4 references
Acknowledgments
CERT@VDE
ONEKEY
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination"
},
{
"organization": "ONEKEY",
"summary": "reporting"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "Two Vulnerabilities have been discovered in TC ROUTER 4000 series and CLOUD CLIENT 2000 series up to firmware version 4.5.7x.107.\nThe web administration interface is vulnerable for authenticated admin users to path traversals, which could lead to arbitrary file uploads or deletion. Unvalidated user input also enables execution of OS commands.",
"title": "Summary"
},
{
"category": "description",
"text": "The web interface is available only after authentication. An authorized admin user could use these vulnerabilities to execute arbitrary commands, upload arbitrary files or delete files from the device. This may lead to the device no longer functioning properly.",
"title": "Impact"
},
{
"category": "description",
"text": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note: Measures to protect network-capable devices with Ethernet connection",
"title": "Mitigation"
},
{
"category": "description",
"text": "The vulnerability is fixed in firmware version 4.6.7x.101. We strongly recommend all affected users to upgrade to this or a later version.",
"title": "Remediation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@phoenixcontact.com",
"name": "Phoenix Contact GmbH \u0026 Co. KG",
"namespace": "https://phoenixcontact.com/psirt"
},
"references": [
{
"category": "external",
"summary": "PHOENIX CONTACT PSIRT ",
"url": "https://phoenixcontact.com/psirt"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for PHOENIX CONTACT",
"url": "https://certvde.com/en/advisories/vendor/phoenixcontact/"
},
{
"category": "self",
"summary": "VDE-2022-053: PHOENIX CONTACT: Advisory for TC ROUTER and CLOUD CLIENT - HTML",
"url": "https://certvde.com/en/advisories/VDE-2022-053/"
},
{
"category": "self",
"summary": "VDE-2022-053: PHOENIX CONTACT: Advisory for TC ROUTER and CLOUD CLIENT - CSAF",
"url": "https://phoenixcontact.csaf-tp.certvde.com/.well-known/csaf/white/2023/vde-2022-053.json"
}
],
"title": "PHOENIX CONTACT: Advisory for TC ROUTER and CLOUD CLIENT",
"tracking": {
"aliases": [
"VDE-2022-053"
],
"current_release_date": "2025-05-14T13:00:15.000Z",
"generator": {
"date": "2025-04-09T08:02:23.390Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.22"
}
},
"id": "VDE-2022-053",
"initial_release_date": "2023-03-07T07:00:00.000Z",
"revision_history": [
{
"date": "2023-03-07T07:00:00.000Z",
"number": "1",
"summary": "Initial revision."
},
{
"date": "2025-05-14T13:00:15.000Z",
"number": "2",
"summary": "Fix: added distribution"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.5.73.107",
"product": {
"name": "CLOUD CLIENT 2002T-4G EU \u003c4.5.73.107",
"product_id": "CSAFPID-51001",
"product_identification_helper": {
"model_numbers": [
"1234355"
]
}
}
},
{
"category": "product_version",
"name": "4.6.7x.101",
"product": {
"name": "CLOUD CLIENT 2002T-4G EU 4.6.7x.101",
"product_id": "CSAFPID-52001",
"product_identification_helper": {
"model_numbers": [
"1234355"
]
}
}
}
],
"category": "product_name",
"name": "CLOUD CLIENT 2002T-4G EU"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.5.73.107",
"product": {
"name": "CLOUD CLIENT 2002T-WLAN \u003c4.5.73.107",
"product_id": "CSAFPID-51002",
"product_identification_helper": {
"model_numbers": [
"1234360"
]
}
}
},
{
"category": "product_version",
"name": "4.6.7x.101",
"product": {
"name": "CLOUD CLIENT 2002T-WLAN 4.6.7x.101",
"product_id": "CSAFPID-52002",
"product_identification_helper": {
"model_numbers": [
"1234360"
]
}
}
}
],
"category": "product_name",
"name": "CLOUD CLIENT 2002T-WLAN"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.5.73.107",
"product": {
"name": "CLOUD CLIENT 2102T-4G EU WLAN \u003c4.5.73.107",
"product_id": "CSAFPID-51003",
"product_identification_helper": {
"model_numbers": [
"1234357"
]
}
}
},
{
"category": "product_version",
"name": "4.6.7x.101",
"product": {
"name": "CLOUD CLIENT 2102T-4G EU WLAN 4.6.7x.101",
"product_id": "CSAFPID-52003",
"product_identification_helper": {
"model_numbers": [
"1234357"
]
}
}
}
],
"category": "product_name",
"name": "CLOUD CLIENT 2102T-4G EU WLAN"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.5.72.107",
"product": {
"name": "TC ROUTER 4002T-4G EU \u003c4.5.72.107",
"product_id": "CSAFPID-51004",
"product_identification_helper": {
"model_numbers": [
"1234352"
]
}
}
},
{
"category": "product_version",
"name": "4.6.7x.101",
"product": {
"name": "TC ROUTER 4002T-4G EU 4.6.7x.101",
"product_id": "CSAFPID-52004",
"product_identification_helper": {
"model_numbers": [
"1234352"
]
}
}
}
],
"category": "product_name",
"name": "TC ROUTER 4002T-4G EU"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.5.72.107",
"product": {
"name": "TC ROUTER 4102T-4G EU WLAN \u003c4.5.72.107",
"product_id": "CSAFPID-51005",
"product_identification_helper": {
"model_numbers": [
"1234353"
]
}
}
},
{
"category": "product_version",
"name": "4.6.7x.101",
"product": {
"name": "TC ROUTER 4102T-4G EU WLAN 4.6.7x.101",
"product_id": "CSAFPID-52005",
"product_identification_helper": {
"model_numbers": [
"1234353"
]
}
}
}
],
"category": "product_name",
"name": "TC ROUTER 4102T-4G EU WLAN"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.5.72.107",
"product": {
"name": "TC ROUTER 4202T-4G EU WLAN \u003c4.5.72.107",
"product_id": "CSAFPID-51006",
"product_identification_helper": {
"model_numbers": [
"1234354"
]
}
}
},
{
"category": "product_version",
"name": "4.6.7x.101",
"product": {
"name": "TC ROUTER 4202T-4G EU WLAN 4.6.7x.101",
"product_id": "CSAFPID-52006",
"product_identification_helper": {
"model_numbers": [
"1234354"
]
}
}
}
],
"category": "product_name",
"name": "TC ROUTER 4202T-4G EU WLAN"
}
],
"category": "product_family",
"name": "Software"
}
],
"category": "vendor",
"name": "Phoenix Contact"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006"
],
"summary": "Affected Products"
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-52001",
"CSAFPID-52002",
"CSAFPID-52003",
"CSAFPID-52004",
"CSAFPID-52005",
"CSAFPID-52006"
],
"summary": "Fixed Products"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-0861",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"notes": [
{
"category": "description",
"text": "NetModule NSRW web administration interface executes an OS command constructed with unsanitized user input.\u00a0A successful exploit could allow an authenticated user to execute arbitrary commands with elevated privileges.\nThis issue affects NSRW: from 4.3.0.0 before 4.3.0.119, from 4.4.0.0 before 4.4.0.118, from 4.6.0.0 before 4.6.0.105, from 4.7.0.0 before 4.7.0.103.\n\n",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-52001",
"CSAFPID-52002",
"CSAFPID-52003",
"CSAFPID-52004",
"CSAFPID-52005",
"CSAFPID-52006"
],
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note: Measures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "The vulnerability is fixed in firmware version 4.6.7x.101. We strongly recommend all affected users to upgrade to this or a later version.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006"
]
}
],
"title": "CVE-2023-0861"
},
{
"cve": "CVE-2023-0862",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "description",
"text": "The NetModule NSRW web administration interface is vulnerable to path traversals, which could lead to arbitrary file uploads and deletion. By uploading malicious files to the web root directory, authenticated users could gain remote command execution with elevated privileges.\n\nThis issue affects NSRW: from 4.3.0.0 before 4.3.0.119, from 4.4.0.0 before 4.4.0.118, from 4.6.0.0 before 4.6.0.105, from 4.7.0.0 before 4.7.0.103.\n",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-52001",
"CSAFPID-52002",
"CSAFPID-52003",
"CSAFPID-52004",
"CSAFPID-52005",
"CSAFPID-52006"
],
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note: Measures to protect network-capable devices with Ethernet connection",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "The vulnerability is fixed in firmware version 4.6.7x.101. We strongly recommend all affected users to upgrade to this or a later version.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006"
]
}
],
"title": "CVE-2023-0862"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…