CVE-2025-41669

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

The Web-based Management allows a remote low privileged Engineer user to install additional APPs on the device downloaded from the PLCnext Store without implementing any data verification mechanism, leading to the capability for an Engineer user to reach arbitrary code execution with root privileges on the PLC device. A successful exploitation may allow to install a manipulated APP package, potentially impacting integrity and availability of the PLCnext Control.

Fix

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347

Related Identifiers

CVE-2025-41669

Affected Products

Axc F 1152

Axc F 1252

Axc F 2000 Ea

Axc F 2152

Axc F 3152

Bpc 9102S

Epc 1522

Rfc 4072R

Rfc 4072S

Vl3 Upc 2440 Edge

Vplcnext Control 1000

Vplcnext Control 2000

Vplcnext Control 3000

Vplcnext Control 500

CVE-2025-41669

Weakness Enumeration

Related Identifiers

Affected Products

References · 2