CVE-2020-9435

Name of the Vulnerable Software and Affected Versions PHOENIX CONTACT TC ROUTER 3002T-4G versions 2.05.3 and earlier PHOENIX CONTACT TC ROUTER 2002T-3G versions 2.05.3 and earlier PHOENIX CONTACT TC ROUTER 3002T-4G VZW versions 2.05.3 and earlier PHOENIX CONTACT TC ROUTER 3002T-4G ATT versions 2.05.3 and earlier PHOENIX CONTACT TC CLOUD CLIENT 1002-4G versions 2.03.17 and earlier PHOENIX CONTACT TC CLOUD CLIENT 1002-TXTX versions 1.03.17 and earlier

Description The devices contain a hardcoded certificate (and key) that is used by default for web-based services on the device. This allows for impersonation, man-in-the-middle, or passive decryption attacks if the generic certificate is not replaced by a device-specific certificate during installation.

Recommendations For PHOENIX CONTACT TC ROUTER 3002T-4G versions 2.05.3 and earlier, replace the generic certificate with a device-specific certificate during installation. For PHOENIX CONTACT TC ROUTER 2002T-3G versions 2.05.3 and earlier, replace the generic certificate with a device-specific certificate during installation. For PHOENIX CONTACT TC ROUTER 3002T-4G VZW versions 2.05.3 and earlier, replace the generic certificate with a device-specific certificate during installation. For PHOENIX CONTACT TC ROUTER 3002T-4G ATT versions 2.05.3 and earlier, replace the generic certificate with a device-specific certificate during installation. For PHOENIX CONTACT TC CLOUD CLIENT 1002-4G versions 2.03.17 and earlier, replace the generic certificate with a device-specific certificate during installation. For PHOENIX CONTACT TC CLOUD CLIENT 1002-TXTX versions 1.03.17 and earlier, replace the generic certificate with a device-specific certificate during installation.