.webp)
Industrial control systems are often deployed in environments where availability, safety, and reliability are non-negotiable. A single controller can orchestrate production lines, regulate energy flows, or ensure the safe treatment and distribution of water. In these contexts, trust boundaries between users, applications, and system components are fundamental to maintaining secure operations.
The Phoenix Contact PLCnext AXC F 3152 is designed precisely for these demanding scenarios. Commonly deployed in factory automation, energy management, water treatment facilities, and other critical infrastructure, the device provides powerful automation capabilities through its open PLCnext Platform. Its modern web interface, support for multiple industrial protocols, and extensibility through third-party applications make it a flexible cornerstone of many OT environments.
During a recent security research activity, Nozomi Networks Labs analyzed the Phoenix Contact PLCnext AXC F 3152 running firmware version 2024.0.6, identifying several security vulnerabilities in its web interface. According to the vendor, these issues affect multiple PLCnext models, extending the potential impact beyond a single device. The most severe finding allows a low-privileged user with an Engineer profile to escalate privileges and fully compromise the system, enabling the execution of operations that should be strictly forbidden at that access level.
Following vulnerability notification through a responsible disclosure process, Phoenix Contact promptly addressed the reported issues by releasing updated firmware for the affected devices.
Research Scope
The Phoenix Contact PLCnext AXC F 3152 is a high-performance industrial PLC (Programmable Logic Controller) designed for demanding automation applications. The device is based on the PLCnext Platform by Phoenix Contact, an open automation ecosystem that extends traditional PLC functionality with modern IT and OT integration.
The device is configured through a web-based management interface, which allows users to set up, monitor, and control system parameters as shown in Figure 1.
Within this interface, different user roles with varying privilege levels are defined (Figure 2), ensuring controlled access to critical functionalities. Proper access control is crucial to maintaining the security and reliability of industrial operations.
.png)
The vulnerabilities discussed in this blog stem from a thorough security evaluation of the PLCnext AXC F 3152 web interface.
Attack Scenario
Imagine a water treatment facility serving a mid-sized city. At the heart of the plant’s automation network is a Phoenix Contact PLCnext AXC F 3152, responsible for coordinating filtration stages, controlling pumps, and managing chemical dosing through protocols such as OPC UA and PROFINET, industrial communication standards that enable secure, real-time data exchange and interoperability between controllers, sensors, actuators, and supervisory systems. ADD LINK OR DESCRIPTION
The PLC is accessed daily by multiple users:
- Administrators, who manage firmware updates and system-wide configuration
- Engineers, who deploy control logic, install applications, and perform troubleshooting
- Operators, who monitor the system and respond to alarms
To minimize risk, the Engineer role is intentionally restricted. Engineers are trusted to work on automation tasks, but not to alter security settings, user management, or low-level system components.
At least, that is the assumption.
The most critical vulnerability allows a low-privileged user with the Engineer role to exploit the web interface's application installation functionality to escalate their privileges to root, gaining full control over the device. Since the Engineer role has restricted administrative permissions, this flaw enables unauthorized modifications to system settings that should normally be inaccessible to such users.
In a realistic attack scenario, an adversary does not start as an external hacker scanning the internet. Instead, they may already have limited internal access, for example:
- A compromised engineering workstation
- Stolen VPN credentials
- A malicious insider with Engineer-level permissions
With this level of access, the attacker can authenticate to the PLCnext web interface using legitimate Engineer credentials, without needing to exploit a vulnerability.
The exploitation path unfolds as follows:
- The attacker identifies an existing PLCnext application, either one that is already installed on the device or a legitimate application obtained from the PLCnext ecosystem.
- The application is modified offline to include additional functionality unrelated to its original purpose.
- Through the PLCnext web interface, the attacker installs the altered application. At this stage, a critical security weakness is exposed: the device does not enforce digital signature validation, preventing it from confirming whether the application originates from the trusted PLCnext Store.
- Privilege Escalation: Once installed, the application is executed with root privileges.
The Engineer user, without ever being granted administrative rights, has now effectively obtained full control of the device.
The vulnerability has been identified as CVE-2025-41669 with a CVSS score CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8).
Once full control of the PLC is obtained, the impact is no longer limited to the device itself, it directly affects physical processes and operational continuity.
In the water treatment facility scenario described at the beginning of this blog post, an attacker with root access could:
- Interrupt pump and valve coordination, causing pressure imbalances or forcing automated safety shutdowns
- Disable remote monitoring, leaving operators blind to real-time process conditions
- Manipulate control logic execution, resulting in delayed or incorrect responses to sensor data
Operators may observe alarms, loss of telemetry, or unexplained equipment behavior, often without a clear indication of the root cause. As the attack progresses, operators may be left with no choice but to shut down systems to avoid unsafe operating conditions, turning a cybersecurity incident into an immediate availability crisis. What begins as a compromise of a single controller can quickly escalate into equipment stress, service disruption, and emergency response procedures.
What Are the Impacts of These Vulnerabilities?
The described vulnerability allows a low-privileged user with the Engineer role to exploit the web interface's application installation functionality to escalate their privileges to root, gaining full control over the device. Since the Engineer role has restricted administrative permissions, this flaw enables unauthorized modifications to system settings that should normally be inaccessible to such users. The following is a list of all possible impacts from the exploitation of this vulnerability, with corresponding MITRE ATT&CK references noted in parentheses.
- Lateral movement within the network (T1210 – Exploitation of Remote Services): After compromising a Phoenix Contact PLCnext AXC F 3152 device, an attacker could use it as a foothold to navigate through the network, targeting other connected devices or systems. This could lead to further compromises, potentially escalating the attack to affect critical operations or even disrupting the entire infrastructure.
- Denial-of-Service (DoS) Attack (T1499 – Endpoint Denial of Service): An attacker could disrupt operations by disabling critical features within the web application, such as network settings, rendering the device unreachable. Additionally, they could deactivate essential OT network protocols like Ethernet/IP, OPC UA, or PROFINET, causing communication failures and application malfunctions.
- Weakening Security Measures (T1556 – Modify Authentication Process): An attacker could alter restricted security settings, such as user authentication, privilege levels, or firewall rules, making the device more vulnerable to potential threats and unauthorized access.
Vulnerability List and Affected Versions
The table below lists all the vulnerabilities discovered through the research activity and confirmed to be present in firmware version up to 2025.0.2 of the following Phoenix Contact PLCnext-based devices:
- AXC F 1152
- AXC F 2152
- AXC F 3152
- RFC 4072S
- BPC 9102S
Results are sorted by CVSS 3.1 score from most to least severe.
Vulnerability Spotlight
For this blog’s “Vulnerability Spotlight” we decided to focus on the previously described CVE-2025-41669, a CWE-349 "Improper Verification of Cryptographic Signature” vulnerability allowing a low privileged user belonging to the “Engineer” role to elevate their privilege to “root” by manipulating a legitimate application downloaded from the PLCnext store.
The user manual for the device specifies an Engineer role with a restricted set of capabilities on the PLC device. Despite these limitations, users assigned to this role can access the PLCnext Apps section within the Web-based Management application. This access allows them to manually install applications that are typically downloaded from the PLCnext Store. By examining an application obtained from the store—specifically, the Telegraf application for x64 CPUs—it becomes evident that the application is actually a squashfs file system image, as illustrated in the screenshot below.
.png)
By extracting the contents of the squashfs image, it becomes clear that the app_info.json file defines how the application runs on the device and specifies the main executable to be executed.
To assess the impact of installing an untrusted application, the main Telegraf executable was replaced with a malicious payload—in this case, a simple execution of the id command in Linux. The squashfs image was then rebuilt, as demonstrated below.
Using an Engineer user session in the Web-based Management application, the modified test.app application was successfully installed. Upon analyzing the /tmp/exp file, it was observed that the malicious payload embedded in test.app executed with root privileges on the Linux operating system. This confirms that the attack method effectively escalates privileges from the low-privileged Engineer role to root.
Conclusions and Recommendations
Nozomi Networks reached out to the vendor through a responsible disclosure process. Phoenix Contact promptly addressed the issues by publishing two security advisories detailing the vulnerabilities and the affected products:
- Link to advisory addressing CVEs from CVE-2025-41665 to CVE-2025-41668
- Link to advisory addressing CVE-2025-41669 and CVE-2025-41670
Following Nozomi Networks vulnerability disclosure, Phoenix Contact has outlined clear steps to strengthen the security of its ecosystem. In particular, the company is introducing support for signed applications, a measure designed to enhance the integrity of engineering workflows.
With this update, engineers will no longer be able to import tampered or manipulated applications when signature verification is enabled. By ensuring that only trusted and verified apps can be used, Phoenix Contact is taking an important step toward preventing unauthorized modifications and reinforcing overall system security.
According to advisories, the recommended remediation is to update the firmware of the impacted devices to the latest version.
As a temporary mitigation to reduce the risk, we recommend that customers grant access to impacted PLCnext devices only to trusted users. Additionally, implementing strict network segregation is essential to prevent unauthorized access to the device.
To help organizations promptly identify whether the vulnerable device is present in their environment—and to detect and alert on exploitation attempts before they lead to operational disruption, compromise, or further attack progression—customers can rely on the advanced capabilities of Nozomi Networks Guardian. Guardian provides deep visibility into network traffic and device behavior, enabling effective vulnerability and threat detection across OT and IoT networks.
This proactive monitoring empowers security teams to respond swiftly and effectively, minimizing the impact of attacks targeting critical OT infrastructure. To learn more about Nozomi Networks OT/IoT Security Platform and see it in action, request a demo today
