Skip to main content

CVE-2025-41667: CWE-59 Improper Link Resolution Before File Access ('Link Following') in PHOENIX CONTACT AXC F 1152

High
VulnerabilityCVE-2025-41667cvecve-2025-41667cwe-59
Published: Tue Jul 08 2025 (07/08/2025, 07:03:50 UTC)
Source: CVE Database V5
Vendor/Project: PHOENIX CONTACT
Product: AXC F 1152

Description

A low privileged remote attacker with file access can replace a critical file used by the arp-preinit script to get read, write and execute access to any file on the device.

AI-Powered Analysis

AILast updated: 07/08/2025, 07:39:47 UTC

Technical Analysis

CVE-2025-41667 is a high-severity vulnerability classified under CWE-59 (Improper Link Resolution Before File Access, also known as 'Link Following') affecting the PHOENIX CONTACT AXC F 1152 industrial controller. The vulnerability allows a low-privileged remote attacker who already has file access on the device to exploit improper handling of symbolic links by the arp-preinit script. Specifically, the attacker can replace a critical file used by this script with a symbolic link pointing to any arbitrary file on the device. When the arp-preinit script executes, it follows this link and performs read, write, and execute operations on the targeted file, effectively granting the attacker the ability to manipulate any file on the device with the script's privileges. This can lead to full compromise of the device's confidentiality, integrity, and availability. The CVSS 3.1 base score is 8.8 (high), reflecting network attack vector (AV:N), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The vulnerability is notable because it leverages a common but critical flaw in symbolic link handling, which can be exploited remotely by an attacker with limited privileges, increasing the risk of lateral movement or full device takeover in industrial control environments. No public exploits are known yet, and no patches have been published at the time of disclosure.

Potential Impact

For European organizations, especially those operating critical infrastructure or manufacturing facilities using PHOENIX CONTACT AXC F 1152 controllers, this vulnerability poses a significant risk. Successful exploitation can lead to unauthorized control over industrial processes, data theft, sabotage, or disruption of operations. Given the high impact on confidentiality, integrity, and availability, attackers could manipulate process parameters, cause equipment malfunction, or disable safety mechanisms, potentially leading to physical damage or safety hazards. The fact that exploitation requires only low privileges but no user interaction means that attackers who gain minimal access (e.g., through compromised credentials or network exposure) can escalate privileges and fully compromise the device. This elevates the threat level in environments where these controllers are network-accessible or insufficiently segmented. The vulnerability could also facilitate ransomware or destructive attacks targeting industrial control systems, which are critical to European energy, manufacturing, transportation, and utilities sectors.

Mitigation Recommendations

1. Immediate network segmentation and access control: Restrict network access to PHOENIX CONTACT AXC F 1152 devices to trusted management networks only, minimizing exposure to potential attackers. 2. Implement strict file system permissions and monitoring: Ensure that only authorized users and processes have write access to critical files and directories, especially those used by initialization scripts like arp-preinit. 3. Employ integrity verification: Use cryptographic checksums or file integrity monitoring tools to detect unauthorized changes to critical files and symbolic links. 4. Disable or restrict symbolic link following in scripts where possible, or modify the arp-preinit script to validate and sanitize file paths before accessing them. 5. Monitor logs and network traffic for suspicious activities indicative of link manipulation or unauthorized file access. 6. Coordinate with PHOENIX CONTACT for timely patching once available and apply updates promptly. 7. Conduct regular security audits and penetration testing focused on industrial control systems to identify and remediate similar weaknesses. 8. Educate operational technology (OT) staff about the risks of low-privilege access and enforce strong credential management and multi-factor authentication to reduce the risk of initial compromise.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
CERTVDE
Date Reserved
2025-04-16T11:17:48.307Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 686cc7a96f40f0eb72f25241

Added to database: 7/8/2025, 7:24:25 AM

Last enriched: 7/8/2025, 7:39:47 AM

Last updated: 7/8/2025, 7:39:47 AM

Views: 2

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats