Researchers from Nozomi Networks Labs disclosed a privilege-escalation vulnerability chain affecting a Phoenix Contact PLCnext industrial controller, demonstrating how an attacker with limited access can cross trust boundaries within the device and gain elevated privileges. The researchers found that weaknesses in privilege management allowed a lower-privileged user to interact with components operating at higher privilege levels, ultimately enabling unauthorized actions beyond the permissions originally assigned. It identified that the issue highlights how security assumptions embedded within modern ICS (industrial control systems) can break down when trust relationships between software components are not properly enforced.
The research underscores broader security implications for OT (operational technology) environments, where PLCs (programmable logic controllers) increasingly combine traditional control functions with open software architectures. Nozomi warned that privilege-escalation flaws can allow attackers to move from a restricted position to one with greater control over device functionality, potentially affecting system integrity and operational reliability. The findings reinforce the importance of strong privilege separation, secure-by-design development practices, and continuous security assessments to prevent attackers from exploiting trust boundaries within ICS.
“During a recent security research activity, Nozomi Networks Labs analyzed the Phoenix Contact PLCnext AXC F 3152 running firmware version 2024.0.6, identifying several security vulnerabilities in its web interface,” the researchers detailed last week. “According to the vendor, these issues affect multiple PLCnext models, extending the potential impact beyond a single device. The most severe finding allows a low-privileged user with an Engineer profile to escalate privileges and fully compromise the system, enabling the execution of operations that should be strictly forbidden at that access level.”
The post added that following vulnerability notification through a responsible disclosure process, Phoenix Contact promptly addressed the reported issues by releasing updated firmware for the affected devices.
Designed for demanding scenarios, the Phoenix Contact PLCnext AXC F 3152 is commonly deployed in factory automation, energy management, water treatment facilities, and other critical infrastructure. The device provides automation capabilities through its open PLCnext Platform. Its modern web interface, support for multiple industrial protocols, and extensibility through third-party applications make it a flexible cornerstone of many OT environments.
The researchers disclosed that the most critical vulnerability allows a low-privileged user with the Engineer role to exploit the web interface’s application installation functionality to escalate their privileges to root, gaining full control over the device. Since the Engineer role has restricted administrative permissions, this flaw enables unauthorized modifications to system settings that should normally be inaccessible to such users.
In a realistic attack scenario, an adversary does not start as an external hacker scanning the internet. Instead, they may already have limited internal access, for example, a compromised engineering workstation, stolen VPN credentials, or a malicious insider with Engineer-level permissions. With this level of access, the attacker can authenticate to the PLCnext web interface using legitimate Engineer credentials, without needing to exploit a vulnerability.
The exploitation chain begins when an attacker identifies an existing PLCnext application, either one already installed on the device or a legitimate application obtained through the PLCnext ecosystem. The attacker then modifies the application offline to add functionality unrelated to its original purpose. Afterward, the altered application is installed through the PLCnext web interface.
According to the researchers, a key security weakness emerges at this stage because the device does not enforce digital signature validation, preventing it from verifying whether the application genuinely originated from the trusted PLCnext Store. Once installed, the modified application is executed with root privileges, enabling the attacker to achieve privilege escalation.
The Engineer user, without ever being granted administrative rights, has now effectively obtained full control of the device. The vulnerability has been identified as CVE-2025-41669 with a CVSS score of 8.8. Once full control of the PLC is obtained, the impact is no longer limited to the device itself; it directly affects physical processes and operational continuity.
Nozomi researchers highlighted that the vulnerability allows a user with the low-privileged Engineer role to escalate privileges to root by modifying a legitimate application obtained from the PLCnext Store. Although the Engineer role is intended to have restricted permissions, users assigned to it can access the PLCnext Apps section of the web-based management interface and manually install applications on the device. During their analysis, researchers examined the Telegraf application and found that it is packaged as a squashfs file system image containing configuration files that define how the application executes on the controller.
To demonstrate the impact, the researchers extracted the application, replaced the original Telegraf executable with a simple test payload, and repackaged the application image. Using an Engineer account, they successfully installed the modified application through the PLCnext management interface.
Analysis of the resulting output confirmed that the embedded payload executed with root privileges on the underlying Linux operating system. According to Nozomi, the findings show that the device’s failure to validate application signatures allows a low-privileged user to install a tampered application and gain full administrative control of the controller.
After compromising a Phoenix Contact PLCnext AXC F 3152 device, an attacker could use it as a foothold for lateral movement across the network, targeting other connected devices and systems. This access could enable additional compromises, potentially escalating the attack and affecting critical operations or broader infrastructure.
The compromise could also facilitate denial-of-service conditions by allowing the attacker to disable critical web application features, including network settings, making the device unreachable. In addition, essential OT communication protocols such as Ethernet/IP, OPC UA, and PROFINET could be deactivated, resulting in communication failures and disruption of operational applications.
The researchers also noted that an attacker could weaken the device’s security posture by modifying restricted settings related to authentication, user privileges, or firewall configurations. Such changes could reduce existing security protections, increase exposure to unauthorized access, and create opportunities for further malicious activity within the environment.
Following Nozomi’s vulnerability disclosure, Phoenix Contact has outlined clear steps to strengthen the security of its ecosystem. In particular, the company is introducing support for signed applications, a measure designed to enhance the integrity of engineering workflows.
With this update, engineers will no longer be able to import tampered or manipulated applications when signature verification is enabled. By ensuring that only trusted and verified apps can be used, Phoenix Contact is taking an important step toward preventing unauthorized modifications and reinforcing overall system security.
According to Phoenix Contact, the recommended remediation is to update the firmware of the impacted devices to the latest version.
As a temporary mitigation to reduce the risk, the company recommends that customers grant access to impacted PLCnext devices only to trusted users. Additionally, implementing strict network segregation is essential to prevent unauthorized access to the device.
In April, Nozomi revealed that attackers can chain multiple vulnerabilities in the CODESYS Control runtime to backdoor industrial control applications and gain full control of affected devices. The flaws allow an authenticated attacker with limited Service-level privileges to extract cryptographic material, bypass optional protections such as code signing and encryption, and replace legitimate control logic with a malicious version that executes with root privileges upon restart. As CODESYS-based PLCs are embedded across critical sectors, including manufacturing, energy, and water systems, exploitation could enable manipulation of physical processes, disruption of operations, or unsafe conditions in industrial environments.
