CVE-2023-3572
📋 TL;DR
CVE-2023-3572 is a critical vulnerability in PHOENIX CONTACT WP 6xxx series web panels that allows remote, unauthenticated attackers to execute arbitrary commands on affected devices. This vulnerability affects all versions prior to 4.0.10 and can lead to complete device compromise. Organizations using these industrial web panels in operational technology (OT) environments are at significant risk.
💻 Affected Systems
- PHOENIX CONTACT WP 6xxx series web panels
📦 What is this software?
Wp 6070 Wvps Firmware by Phoenixcontact
Wp 6101 Wxps Firmware by Phoenixcontact
Wp 6121 Wxps Firmware by Phoenixcontact
Wp 6156 Whps Firmware by Phoenixcontact
Wp 6185 Whps Firmware by Phoenixcontact
Wp 6215 Whps Firmware by Phoenixcontact
⚠️ Risk & Real-World Impact
Worst Case
Complete device takeover allowing attackers to modify industrial processes, disrupt operations, install persistent malware, or pivot to other network segments.
Likely Case
Remote code execution leading to device configuration changes, data theft, or denial of service affecting industrial operations.
If Mitigated
Limited impact if devices are air-gapped, behind strict firewalls, or have network segmentation preventing external access.
🎯 Exploit Status
The vulnerability involves manipulating HTTP POST requests related to date/time operations to achieve command injection. Public advisories provide technical details that could facilitate exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.10
Vendor Advisory: https://cert.vde.com/en/advisories/VDE-2023-018/
Restart Required: Yes
Instructions:
1. Download firmware version 4.0.10 or later from PHOENIX CONTACT support portal. 2. Backup current configuration. 3. Upload and install the new firmware via the device's web interface. 4. Verify successful installation and restore configuration if needed.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected devices in separate network segments with strict firewall rules.
Access Control Lists
allImplement network ACLs to restrict access to the web panel interface (typically port 80/443).
🧯 If You Can't Patch
- Disable web interface if not required for operations
- Implement strict network segmentation and firewall rules to limit access to trusted IPs only
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface or serial console. If version is below 4.0.10, device is vulnerable.Check Version:
Check via web interface at System > Information or via serial console connectionVerify Fix Applied:
Verify firmware version shows 4.0.10 or higher in device settings. Test that date/time configuration functions work without allowing command injection.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP POST requests to date/time endpoints
- Multiple failed authentication attempts followed by successful access
- Commands executed via web interface that shouldn't be possible
Network Indicators:
- HTTP POST requests with command injection patterns in date/time parameters
- Unexpected outbound connections from industrial devices
- Traffic to/from device web interface from unauthorized sources
SIEM Query:
source="industrial_device" AND (http_method="POST" AND uri="*date*" OR uri="*time*") AND (content="*;*" OR content="*|*" OR content="*`*" OR content="*$(*")