PHOENIX CONTACT: OS Command Injection in WP 6xxx Web panels

Vulnerability

In PHOENIX CONTACT WP 6xxx series web panels (versions prior to 4.0.10), a remote attacker with low privileges can exploit an issue in certificate operations via a crafted HTTP POST request. The vulnerability allows the attacker to escalate privileges and gain full device access. The affected product series includes WP 6001, WP 6002, WP 6012, WP 6032, WP 6042, WP 6082, WP 6122 and WP 6000 3G families [1].

Exploitation

The attacker must have low-privileged access (e.g., a standard user account) to the web panel's management interface. By sending a specifically crafted HTTP POST request related to certificate operations, the attacker can trigger the vulnerability. No further user interaction is required. The attack does not require any physical access or special network position beyond being able to reach the device's web interface [1].

Impact

Successful exploitation grants the attacker full access to the device, including the ability to execute commands as an administrative user (root), read arbitrary files, modify system configurations, and potentially compromise the confidentiality, integrity, and availability of the device. The attacker effectively obtains an administrative shell with full control [1].

Mitigation

Phoenix Contact has released firmware version 4.0.10 which fixes this vulnerability. Users should update their WP 6xxx devices to version 4.0.10 or later. If updating is not immediately possible, restrict network access to the web interface to trusted users and networks as a workaround. No other mitigations are documented in the available advisory [1].