CVE-2017-16743

CWE-285 CWE-863 — Incorrect Authorization3 documents3 sources

Severity

9.8CRITICAL

EPSS

1.2%

top 20.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Phoenixcontact FL Switch 3004t-fx Firmware Phoenixcontact FL Switch 3004t-fx ST Firmware Phoenixcontact FL Switch 3005 Firmware +26 more

Timeline

PublishedJan 12

Latest updateMay 13

Description

An Improper Authorization issue was discovered in PHOENIX CONTACT FL SWITCH 3xxx, 4xxx, and 48xxx Series products running firmware Version 1.0 to 1.32. A remote unauthenticated attacker may be able to craft special HTTP requests allowing an attacker to bypass web-service authentication allowing the attacker to obtain administrative privileges on the device.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages30 packages

▶NVDphoenixcontact/fl_switch_3005_firmware1.0 — 1.32

▶NVDphoenixcontact/fl_switch_3008_firmware1.0 — 1.32

▶NVDphoenixcontact/fl_switch_3016_firmware1.0 — 1.32

▶NVDphoenixcontact/fl_switch_3005t_firmware1.0 — 1.32

▶NVDphoenixcontact/fl_switch_3008t_firmware1.0 — 1.32

Patches

Patch: ics-cert.us-cert.gov ↗Patch: ics-cert.us-cert.gov ↗

🔴Vulnerability Details

GHSA

GHSA-xp4q-qhv3-758q: An Improper Authorization issue was discovered in PHOENIX CONTACT FL SWITCH 3xxx, 4xxx, and 48xxx Series products running firmware Version 1↗2022-05-13

▶

CVEList

CVE-2017-16743: An Improper Authorization issue was discovered in PHOENIX CONTACT FL SWITCH 3xxx, 4xxx, and 48xxx Series products running firmware Version 1↗2018-01-12

▶