CVE-2018-10730

Name of the Vulnerable Software and Affected Versions Phoenix Contact managed FL SWITCH 3xxx, 4xxx, 48xx products versions 1.0 through 1.33

Description The issue is related to OS command injection due to the lack of neutralization of special elements in OS command inputs. This can allow a remote attacker to execute arbitrary commands. The vulnerability is associated with the config transfer.cgi and software update.cgi components of the firmware.

Recommendations For versions 1.0 through 1.33, consider disabling the config transfer.cgi and software update.cgi components as a temporary workaround until a patch is available. Restrict access to these components to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.