VDE-2020-025 — Vulnetix

VDE-2020-025 PUBLISHED CVSS 8.199999809265137 HIGH

The build settings of a PLCnext Engineer project (.pcwex) can be manipulated in a way that can result in the execution of remote code. The attacker needs to get access to a PLCnext Engineer project to be able to manipulate files inside. Additionally, the files of the remote code need to be transferred to a location which can be accessed by the PC that runs PLCnext Engineer. When PLCnext Engineer runs a build process of the manipulated project the remote code can be executed.

Risk Scores

CVSS v3.1

8.199999809265137

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
	Software PLCnext Engineer 2020.6
	Software PLCnext Engineer <=2020.3.1

Timeline

Jul 21, 2020 CVE Published
May 14, 2025 CVE Updated

References

https://www.phoenixcontact.com/de-de/service-und-support/psirt url
https://certvde.com/en/advisories/vendor/phoenixcontact url
https://certvde.com/de/advisories/VDE-2020-025/ advisory
https://phoenixcontact.csaf-tp.certvde.com/.well-known/csaf/white/2020/vde-2020-025.json advisory

Open in Interactive Console →