CVE-2023-3572

Name of the Vulnerable Software and Affected Versions PHOENIX CONTACTs WP 6xxx series web panels versions prior to 4.0.10

Description A remote, unauthenticated attacker may use an attribute of a specific HTTP POST request related to date/time operations to gain full access to the device. The vulnerability exists due to the lack of measures to neutralize special elements used in the operating system command. Exploitation of the vulnerability may allow a remote attacker to gain unauthorized access to the device using a specially crafted POST request.

Recommendations For versions prior to 4.0.10, update to version 4.0.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the device and limiting the use of HTTP POST requests related to date/time operations until a patch is applied.