PHOENIX CONTACT: Multiple vulnerabilities in PLCnext Control devices

Multiple Vulnerabilities in PLCnext devices running firmware 2020.1 LTS: Authenticated stored Cross-Site-Scripting, unintended information disclosure, privilege escalation.

VDE-2020-049 (2020-12-17 11:00 UTC+0200)

Affected Vendors


Affected Products

Article no Article Affected versions Fixed version
1151412 AXC F 1152 < 2021.0 LTS Download
2404267 AXC F 2152 < 2021.0 LTS Download
1069208 AXC F 3152 < 2021.0 LTS Download
1051328 RFC 4072S < 2021.0 LTS Download
1046568 AXC F 2152 Starterkit < 2021.0 LTS Download
1188165 PLCnext Technology Starterkit < 2021.0 LTS Download

Vulnerability Type

Improper Neutralization of Input (CWE-79)


Multiple vulnerabilities have been identified in PLCnext Control devices. Please consult section "Impact" for details.


CVE-ID: CVE-2020-12517
CWE: Improper Neutralization of Input (XSS) (CWE-79)
Description:An authenticated low privileged user could embed malicious Javascript code to gain admin rights when the admin user visits the vulnerable website (local privilege escalation).

CVE-ID: CVE-2020-12518
CWE: Exposure of Sensitive Information (CWE-200)
Description: An attacker can use the knowledge gained by reading the insufficiently protected sensitive information to plan further attacks.

CVE-ID: CVE-2020-12519
CWE: Improper Privilege Management (CWE-269)
Description: An attacker can use this vulnerability i.e. to open a reverse shell with root privileges.

CVE-ID: CVE-2020-12521
CWE: Improper Input Validation (CWE-20)
Description: A specially crafted LLDP packet may lead to a high system load in the PROFINET stack. An attacker can cause failure of system services or a complete reboot.


Phoenix Contact recommends affected users to upgrade to the current Firmware 2021.0 LTS or higher which fixes these vulnerabilities.

Mitigation/Temporary Fix

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to our application note:
Measures to protect network-capable devices with Ethernet connection (PDF)

Reported by

The vulnerabilities CVE-2020-12517,-12518 and CVE-2020-12519 were discovered by Patrick Muench, Torsten Loebner, Maurice Rothe, Pascal Keul and Daniel Hackel of SVA Systemvertrieb Alexander GmbH.

CERT@VDE coordinated.