|Article No°||Product Name||Affected Version(s)|
|1234355||CLOUD CLIENT 2002T-4G EU||< 22.214.171.124|
|1234360||CLOUD CLIENT 2002T-WLAN||< 126.96.36.199|
|1234357||CLOUD CLIENT 2102T-4G EU WLAN||< 188.8.131.52|
|1234352||TC ROUTER 4002T-4G EU||< 184.108.40.206|
|1234353||TC ROUTER 4102T-4G EU WLAN||< 220.127.116.11|
|1234354||TC ROUTER 4202T-4G EU WLAN||< 18.104.22.168|
Two Vulnerabilities have been discovered in TC ROUTER 4000 series and CLOUD CLIENT 2000 series up to firmware version 4.5.7x.107.
The web administration interface is vulnerable for authenticated admin users to path traversals, which could lead to arbitrary file uploads or deletion. Unvalidated user input also enables execution of OS commands.
NetModule NSRW web administration interface executes an OS command constructed with unsanitized user input. A successful exploit could allow an authenticated user to execute arbitrary commands with elevated privileges. This issue affects NSRW: from 22.214.171.124 before 126.96.36.199, from 188.8.131.52 before 184.108.40.206, from 220.127.116.11 before 18.104.22.168, from 22.214.171.124 before 126.96.36.199.
The NetModule NSRW web administration interface is vulnerable to path traversals, which could lead to arbitrary file uploads and deletion. By uploading malicious files to the web root directory, authenticated users could gain remote command execution with elevated privileges. This issue affects NSRW: from 188.8.131.52 before 184.108.40.206, from 220.127.116.11 before 18.104.22.168, from 22.214.171.124 before 126.96.36.199, from 188.8.131.52 before 184.108.40.206.
The web interface is available only after authentication. An authorized admin user could use these vulnerabilities to execute arbitrary commands, upload arbitrary files or delete files from the device. This may lead to the device no longer functioning properly.
Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note: Measures to protect network-capable devices with Ethernet connection
The vulnerability is fixed in firmware version 4.6.7x.101. We strongly recommend all affected users to upgrade to this or a later version.
This vulnerability was discovered and reported by ONEKEY.
We kindly appreciate the coordinated disclosure of this vulnerability by the finder.
PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.