Pepperl+Fuchs analyzed WirelessHART-Gateways in respect of a critical vulnerability within the Firmware. An attacker may exploit this vulnerability to get access to files and access restricted directories that are stored on the device by manipulating file parameters that reference these. Incoming HTTP requests using fcgi-bin/wgsetcgi and a filename parameter allow a directory / path traversal. A publicly available exploit already exists for this vulnerability.

Multiple vulnerabilities for MEVIEW3 have been identified in PHOENIX CONTACT MEVIEW3, versions below 3.14.25 and 3.15.18

Multiple vulnerabilities for FL SWITCH have been identified in PHOENIX CONTACT FL SWITCH 3xxx, 4xxx, 48xx version 1.0 to 1.34. 

An attacker may gain access (by elevated privileges) to CT50-Ex mobile computers through a vulnerability in a system service running the Android Operating System (OS). The system service improperly validates incoming connection requests. Although the vulnerability is significant, currently no known exploits publicly available. 

Incorrect handling request with non-standard symbols allows remote attackers to initiate a complete lock up of the bus coupler. Authentication of the request is not required.

The 750-8xx controller are susceptible to a Denial-of-Service attack due to a flood of network packets.

Please consult the original paper for details (link at the bottom of this advisory).

The processing program of the IEC 61131 program can be slowed down or stopped completely by creating a large amount of network traffic that needs to be handled by the ILC.

An unauthenticated user can exploit a vulnerability (CVE-2018-12981) to inject code in the WBM via reflected cross-site scripting (XSS), if he is able trick a user to open a special crafted web site. This could allow an attacker to execute code in the context of the user and execute arbitrary commands with restriction to the permissions of the user. Authenticated users can use a vulnerability to inject code in the WBM via persistent cross-site scripting (XSS) via special crafted requests which will be rendered and/or executed in the browser. Authenticated WBM users can transfer arbitrary files to different file system locations (CVE- 2018-12980) to which the web server has the required permissions and partially allowing replacing existing files due weak file permissions (CVE-2018-12979) which can result in an authentication bypass.