CVE-2025-41717

CWE-94 — Code Injection CWE-770 — Allocation without Limits4 documents4 sources

Severity

8.8HIGH

EPSS

0.0%

top 85.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Phoenix Contact Cloud Client 1101t-tx/tx Phoenix Contact TC Cloud Client 1002-4g ATT Phoenix Contact TC Cloud Client 1002-tx/tx +8 more

Timeline

PublishedJan 13

Description

An unauthenticated remote attacker can trick a high privileged user into uploading a malicious payload via the config-upload endpoint, leading to code injection as root. This results in a total loss of confidentiality, availability and integrity due to improper control of code generation ('Code Injection’).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages11 packages

▶CVEListV5phoenix_contact/tc_router_2002t-3g0.0.0 — 3.08.8

▶CVEListV5phoenix_contact/tc_router_2002t-4g0.0.0 — 3.08.8

▶CVEListV5phoenix_contact/tc_router_3002t-3g0.0.0 — 3.08.8

▶CVEListV5phoenix_contact/tc_router_3002t-4g0.0.0 — 3.08.8

▶CVEListV5phoenix_contact/tc_router_3002t-4g_gl0.0.0 — 3.08.8

🔴Vulnerability Details

CVEList

Config-Upload Code Injection↗2026-01-13

▶

GHSA

GHSA-2448-826c-4v5m: An unauthenticated remote attacker can trick a high privileged user into uploading a malicious payload via the config-upload endpoint, leading to code↗2026-01-13

▶

📋Vendor Advisories

Microsoft

Excessive memory growth in net/http and golang.org/x/net/http2↗2022-12-13

▶