PHOENIX CONTACT: Improper Privilege Management in WP 6xxx Web panels

Vulnerability

The SNMP daemon on Phoenix Contact WP 6xxx series web panels prior to version 4.0.10 runs with root privileges. This allows a remote attacker who knows the SNMPv2 read/write community string to execute arbitrary system commands as root via crafted SNMP set requests [1].

Exploitation

An attacker must have network access to the device and possess the SNMPv2 read/write community string (e.g., obtained through other vulnerabilities or brute-force). The attacker sends specially crafted SNMP set packets to the daemon, which executes the embedded command with root privileges [1].

Impact

Successful exploitation grants the attacker full root access to the device, enabling complete compromise of confidentiality, integrity, and availability. The attacker can execute arbitrary OS commands, install malicious software, and pivot to other systems on the network [1].

Mitigation

Phoenix Contact released firmware version 4.0.10 to fix this vulnerability. Users should update to this version or later. As a workaround, restrict SNMP access via firewall rules and change the default community strings, though this may not fully mitigate if the community string is compromised [1].