A WebHMI utility may be exploited by any logged in user allowing the execution of arbitrary OS commands on the server. This provides the opportunity for a command injection attack.
If vulnerability is exploited, the attacker may execute system level commands at will with administrative privileges.
Temporary Fix / Mitigation
Customers using Phoenix Contact 802-11XD radio modules are recommended to operate the devices in closed networks or protected with a suitable firewall.
For detailed information on our recommendations for measures to protect network-capable devices, please refer to the application note:
The product has been removed from active maintenance due to obsolescence. For this reason, it is recommended that concerned customers upgrade to the active FL WLAN product line.
This vulnerability was discovered by Maxim Rupp (rupp.it)