Back

Privilege Escalation Vulnerabilities in Phoenix PLCnext Controllers Disclosed

Severity: High (Score: 70.5)

Sources: Industrialcyber.Co, www.nozominetworks.com

Published: 2026-06-02 · Updated: 2026-06-02

Keywords: industrial, controller, privilege, plcnext, breaking, trust, boundary

Severity indicators: privilege escalation, industrial control

Summary

Nozomi Networks Labs identified a privilege escalation vulnerability chain in the Phoenix PLCnext AXC F 3152 industrial controller, allowing low-privileged users to gain root access. The vulnerabilities stem from weaknesses in privilege management within the web interface, enabling unauthorized actions. This affects multiple PLCnext models, posing risks to critical infrastructure like water treatment and energy management systems. The most severe flaw allows users with an Engineer profile to escalate privileges and fully compromise the system. Following responsible disclosure, Phoenix released updated firmware to address these issues. The vulnerabilities were published as CVE-2025-41669 on May 27, 2026. Key Points: • Privilege escalation vulnerabilities in Phoenix PLCnext AXC F 3152 allow unauthorized access. • Affected systems include critical infrastructure like water treatment and energy management. • Phoenix released firmware updates to mitigate the identified vulnerabilities.

Detailed Analysis

**Impact** Multiple Phoenix PLCnext models, including the AXC F 3152, are affected by privilege escalation vulnerabilities in their web interfaces. These controllers are widely deployed in critical infrastructure sectors such as factory automation, energy management, and water treatment facilities globally. Exploitation allows a low-privileged Engineer user to gain root access, potentially disrupting operational reliability and safety by enabling unauthorized system modifications. The vulnerabilities threaten the integrity and availability of industrial control processes managed by these devices. **Technical Details** The attack vector involves an authenticated user with Engineer-level access exploiting flaws in the web interface’s application installation functionality. The attacker modifies an existing or legitimate PLCnext application offline to include malicious code, then installs it to escalate privileges to root. This breaks trust boundaries within the device, allowing unauthorized administrative actions. The vulnerabilities affect firmware version 2024.0.6 and possibly other versions across multiple PLCnext models. No CVE identifiers or specific IOCs were provided in the articles. **Recommended Response** Apply the updated firmware released by Phoenix to address the vulnerabilities immediately. Restrict Engineer role access to trusted personnel and monitor for unusual application installation activities on PLCnext devices. Implement network segmentation and enforce strict access controls to limit internal threat vectors such as compromised workstations or stolen credentials. Continuously audit device logs for signs of privilege escalation attempts and unauthorized configuration changes.

Source articles (2)

  • Privilege — Industrialcyber.Co · 2026-06-02
    Researchers from Nozomi Networks Labs disclosed a privilege-escalation vulnerability chain affecting a Phoenix PLCnext industrial controller, demonstrating how an attacker with limited access can cros…
  • Breaking The Trust Boundary Privilege Escalation In A Plcnext Industrial Controller — www.nozominetworks.com · 2026-06-02
    Industrial control systems are often deployed in environments where availability, safety, and reliability are non-negotiable. A single controller can orchestrate production lines, regulate energy flow…

Timeline

  • 2026-05-27 — CVE-2025-41669 published: Nozomi Networks Labs disclosed a privilege escalation vulnerability in Phoenix PLCnext controllers affecting multiple models.
  • 2026-06-02 — Vulnerabilities disclosed: Nozomi Networks Labs detailed privilege escalation flaws allowing low-privileged users to gain root access in PLCnext controllers.
  • Recent — Firmware updates released: Phoenix promptly addressed the reported vulnerabilities by releasing updated firmware for affected devices.

CVEs

  • CVE-2025-41669

Related entities

  • DDoS (Attack Type)
  • Malware (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Nozomi Networks (Company)
  • Nozomi Networks Labs (Company)
  • Phoenix (Company)
  • CWE-269 - Improper Privilege Management (Cwe)
  • continuity.in (Domain)
  • test.app (Domain)
  • Energy (Industry)
  • Manufacturing (Industry)
  • T1078 - Valid Accounts (Mitre Attack)
  • Codesys Control Runtime (Platform)
  • EtherNet/IP (Platform)
  • Linux (Platform)
  • OPC UA (Platform)
  • Phoenix PLCnext AXC F 3152 (Platform)
  • PLCnext Platform (Platform)
  • Profinet (Platform)
  • Telegraf (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed