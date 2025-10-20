Vulnerability Management

Almost half a dozen Phoenix Contact flaws patched

Phoenix Contact has released firmware updates to address five security vulnerabilities in its QUINT4 UPS EtherNet/IP models, but one vulnerability remains unpatched, reports SecurityWeek.

CyberDanube, the researcher who reported the issues, said the flaws, tracked as CVE-2025-41703, CVE-2025-41707, CVE-2025-41704, and CVE-2025-41706, can be used to cause denial-of-service conditions. The firm warned attackers could force devices into a state that "prevents remote recovery."

Moreover, CVE-2025-41703 lets unauthenticated attackers use a Modbus command to switch off the UPS output, described by the researchers as a "dangerous function exploitation" leading to a "denial of power service."

Phoenix Contact applied fixes in firmware VC:07 for the affected models but did not patch CVE-2025-41703, saying a fix would interfere with legitimate functionality. A separate issue, tracked as CVE-2025-41705, can leak password information and enable a man-in-the-middle to capture Webfrontend credentials.

The vendor advises operating these UPS units only on isolated industrial networks and protecting them with a firewall. CyberDanube reported that it did not find any QUINT4 devices exposed on the internet.

