CVE-2025-41717
Code Injection via Config-Upload Endpoint Enables Root Access
Publication date: 2026-01-13
Last updated on: 2026-02-05
Assigner: CERT VDE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phoenix_contact | cloud_client | 3.07.7 |
| phoenix_contact | tc_cloud_client | 3.08.8 |
| phoenix_contact | tc_cloud_client | 3.07.7 |
| phoenix_contact | tc_router | 3.08.8 |
| phoenix_contact | tc_router | 1.06.23 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability leads to a total loss of confidentiality, integrity, and availability due to code injection as root. Such a loss can negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity. However, specific impacts on compliance are not detailed in the provided resources. [1]
Can you explain this vulnerability to me?
CVE-2025-41717 is a code injection vulnerability in the firmware of Phoenix Contact's TC ROUTER and CLOUD CLIENT industrial mobile network routers. An unauthenticated remote attacker can trick a high privileged user into uploading a malicious payload via the config-upload endpoint. This leads to code injection running as root, resulting in a total loss of confidentiality, integrity, and availability of the affected devices. [1]
How can this vulnerability impact me? :
This vulnerability can lead to a complete compromise of the affected devices, including total loss of confidentiality, integrity, and availability. An attacker can execute arbitrary code as root, potentially taking full control of the device, disrupting operations, stealing sensitive information, or causing device failure. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include strictly restricting administrative access to the affected devices and ensuring that configuration files are imported only from trusted sources. The recommended remediation is to upgrade the firmware to the fixed versions that address this vulnerability: TC ROUTER 3002T-3G, 2002T-3G, 3002T-4G (including GL, VZW, ATT), 2002T-4G to firmware 3.08.8; TC ROUTER 5004T-5G EU to firmware 1.06.23; CLOUD CLIENT 1101T-TX/TX to firmware 3.07.7; TC CLOUD CLIENT 1002-4G ATT to firmware 3.08.8; and TC CLOUD CLIENT 1002-TX/TX to firmware 3.07.7. [1]