The vulnerability resides in the Web‑based Management interface of Phoenix Contact PLC devices, where an Engineer user can install application packages from the PLCnext Store without any data verification. This flaw permits the user to load a malicious APP, leading to arbitrary code execution with root privileges on the device. The weakness is a failure to validate data authenticity, corresponding to CWE‑347. The resulting impact includes potential compromise of confidentiality, integrity, and availability of the PLCnext Control system.

The affected devices are all Phoenix Contact PLCnext Control units, specifically the AXC F 1152, AXC F 1252, AXC F 2000 EA, AXC F 2152, AXC F 3152, BPC 9102S, EPC 1522, RFC 4072R, RFC 4072S, VL3 UPC 2440 EDGE, VPLCNEXT CONTROL 1000, 2000, 3000, and 500 series. No specific firmware versions are enumerated in the advisory, so any firmware that supports the Web‑based Management interface may be susceptible.

The CVSS score of 8.7 indicates a high severity vulnerability. The EPSS score is not available, which does not provide insight into current exploitation probability. The advisory is not listed in CISA’s KEV catalog, suggesting it is not yet a known exploited vulnerability. The likely attack vector is remote exploitation through the web interface; an attacker requires only a low‑privilege Engineer account but can achieve root‑level code execution once a malicious app is installed. No additional system configuration prerequisites are mentioned in the advisory.