CVE-2025-41717
8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
An unauthenticated remote attacker can trick a high privileged user into uploading a malicious payload via the config-upload endpoint, leading to code injection as root. This results in a total loss of confidentiality, availability and integrity due to improper control of code generation ('Code Injection’).
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Phoenix Contact | TC ROUTER 3002T-3G | 0.0.0 < 3.08.8 | affected |
| Phoenix Contact | TC ROUTER 2002T-3G | 0.0.0 < 3.08.8 | affected |
| Phoenix Contact | TC ROUTER 3002T-4G | 0.0.0 < 3.08.8 | affected |
| Phoenix Contact | TC ROUTER 3002T-4G GL | 0.0.0 < 3.08.8 | affected |
| Phoenix Contact | TC ROUTER 5004T-5G EU | 0.0.0 < 1.06.23 | affected |
| Phoenix Contact | TC ROUTER 3002T-4G VZW | 0.0.0 < 3.08.8 | affected |
| Phoenix Contact | TC ROUTER 3002T-4G ATT | 0.0.0 < 3.08.8 | affected |
| Phoenix Contact | TC ROUTER 2002T-4G | 0.0.0 < 3.08.8 | affected |
| Phoenix Contact | CLOUD CLIENT 1101T-TX/TX | 0.0.0 < 3.07.7 | affected |
| Phoenix Contact | TC CLOUD CLIENT 1002-4G ATT | 0.0.0 < 3.08.8 | affected |
| Phoenix Contact | TC CLOUD CLIENT 1002-TX/TX | 0.0.0 < 3.07.7 | affected |
Weaknesses
- CWE-94: CWE-94 Improper Control of Generation of Code ('Code Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.