PHOENIX CONTACT: WP 6xxx Web panels prone to download code without integrity check

Vulnerability

In PHOENIX CONTACT WP 6xxx series web panels running versions prior to 4.0.10, a vulnerability exists in the handling of SNMPv2 requests. An attacker with SNMPv2 write privileges can send a specially crafted SNMP request that triggers a command injection or authentication bypass, leading to full device compromise. The affected product line includes all WP 6xxx models before firmware version 4.0.10 [1].

Exploitation

To exploit this vulnerability, an attacker must have SNMPv2 write access to the target device, which typically requires knowledge of the SNMP community string. The attacker sends a malicious SNMP request that exploits the flaw, potentially allowing arbitrary command execution or privilege escalation without further authentication. No user interaction is required, and the attack can be performed remotely over the network [1].

Impact

Successful exploitation grants the attacker full administrative access to the device. This includes the ability to execute arbitrary OS commands with administrative privileges, read any files accessible to the 'browser' user, craft valid session cookies, decrypt the web service password, retrieve SNMP communities, and craft malicious firmware update packets. The confidentiality, integrity, and availability of the device are completely compromised [1].

Mitigation

Phoenix Contact has released firmware version 4.0.10 to address this vulnerability. Users should update their WP 6xxx series web panels to version 4.0.10 or later. If immediate patching is not possible, restrict SNMPv2 write access to trusted hosts only and ensure SNMP community strings are strong and not shared. No workaround is available that fully mitigates the issue without upgrading [1].