PHOENIX CONTACT: OS Command Injection in WP 6xxx Web panels

Vulnerability

In PHOENIX CONTACT WP 6xxx series web panels versions prior to 4.0.10, a remote, unauthenticated attacker can abuse a specific attribute of an HTTP POST request related to date/time operations. This vulnerability allows full device access without any prior authentication. The affected product line includes WP 6000, WP 6100, and WP 6200 series devices running firmware versions below 4.0.10 [1].

Exploitation

An attacker needs only network access to the web panel's management interface. No authentication or user interaction is required. The attacker crafts a specially designed HTTP POST request, incorporating a specific attribute tied to date/time functionality, which triggers the flaw. The request is sent to the device's web server, leading to unauthorized administrative access [1].

Impact

Successful exploitation grants the attacker full control over the affected device. This includes the ability to execute arbitrary OS commands with administrative privileges, read any files accessible to the 'browser' user, and compromise the confidentiality, integrity, and availability of the device. The attacker can gain an administrative shell and perform any action on the system [1].

Mitigation

PHOENIX CONTACT has released firmware version 4.0.10 to address this vulnerability. Users should update their devices to this version or later. No workaround is available for unpatched versions. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog as of the publication date [1].