PHOENIX CONTACT: OS Command Injection in WP 6xxx Web panels

Vulnerability

In PHOENIX CONTACT WP 6xxx series web panels versions prior to 4.0.10, a remote attacker with low privileges can exploit a missing authentication check on a specific HTTP DELETE request. The device fails to properly validate the user's authorization for this request, allowing an unauthenticated or low-privileged user to perform administrative actions. [1]

Exploitation

An attacker with network access to the web panel and low-privileged credentials (or possibly without authentication) sends a crafted HTTP DELETE request to a vulnerable endpoint. The request bypasses access controls, granting the attacker the ability to execute commands or modify configuration. No user interaction is required beyond the initial request. [1]

Impact

Successful exploitation allows the attacker to gain full administrative access to the device, compromising confidentiality, integrity, and availability. The attacker can execute arbitrary OS commands with administrative privileges, read arbitrary files, and potentially take complete control of the web panel. [1]

Mitigation

The vulnerability is fixed in firmware version 4.0.10. Users should update to this version or later. No workarounds are mentioned in the advisory. The product is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date. [1]